GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-04 21:06:54 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e TOSHIBA_MK1665GSX_H rev.GJ001Q 149,05GB Running: 5kr3gk0q.exe; Driver: c:\Tmp\pxtdapod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xA7F27BA6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xA831872A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xA7F28684] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xA7F6CD80] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0xA83179DA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xA7F346F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xA7F34744] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xA8318358] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xA7F348DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xA7F6C734] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xA7F34666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xA7F34788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xA7F346AE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xA831AAC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xA7F28BBA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xA7F34898] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xA7F29472] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xA7F27C0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xA7F6D446] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xA7F6D6FC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xA7F2CC68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xA7F6D2B1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xA7F6D11C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xA7F277F8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xA8317CBE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xA828DED0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xA7F27C72] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xA7F2D05E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xA7F29F5A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xA7F34722] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xA7F34766] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xA8318550] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xA7F34902] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xA7F6CA90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xA7F3468C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xA7F2C560] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xA7F34816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xA7F346D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xA7F2C94C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xA7F348BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xA828DC6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xA7F6CF97] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xA831A210] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xA7F29DCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xA7F6CDE9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xA7F29924] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xA829BE1A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xA7F6BD77] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xA7F27CD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xA7F27D3E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xA7F292EC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSecurityObject [0xA8318E14] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xA7F27892] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xA7F27A64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xA7F6D54D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xA7F279F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xA7F2963C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xA7F2979E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xA7F27AEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xA7F2912A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xA7F292CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xA7F27DA4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xA7F286E0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D14 805045FC 16 Bytes [F8, 46, F3, A7, 44, 47, F3, ...] {CLC ; INC ESI; REP CMPSD ; INC ESP; INC EDI; REP CMPSD ; POP EAX; XOR DWORD [ECX], -0x58; FIMUL WORD [EAX-0xd]; CMPSD } .text ntkrnlpa.exe!ZwCallbackReturn + 2D50 80504638 20 Bytes [88, 47, F3, A7, AE, 46, F3, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2E50 80504738 16 Bytes [22, 47, F3, A7, 66, 47, F3, ...] {AND AL, [EDI-0xd]; CMPSD ; INC DI; REP CMPSD ; PUSH EAX; TEST [ECX], ESI; TEST AL, 0x2; DEC ECX; REP CMPSD } .text ntkrnlpa.exe!ZwCallbackReturn + 2F4C 80504834 4 Bytes [E9, CD, F6, A7] .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [D8, 7C, F2, A7, 3E, 7D, F2, ...] {FDIVR DWORD [EDX+ESI*8-0x59]; JGE 0xfffffff9 ;TAKEN; CMPSD ; IN AL, DX; XCHG EDX, EAX; REPNZ CMPSD } .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL A7F2A62B \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\spoolsv.exe[144] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[144] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\spoolsv.exe[144] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[144] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\spoolsv.exe[144] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[144] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\spoolsv.exe[144] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[144] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[144] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\spoolsv.exe[144] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\spoolsv.exe[144] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\spoolsv.exe[144] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\spoolsv.exe[144] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[144] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\spoolsv.exe[144] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\spoolsv.exe[144] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\spoolsv.exe[144] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\spoolsv.exe[144] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[144] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\spoolsv.exe[144] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\spoolsv.exe[144] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\spoolsv.exe[144] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\spoolsv.exe[144] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\spoolsv.exe[144] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\spoolsv.exe[144] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\spoolsv.exe[144] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\spoolsv.exe[144] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[392] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00414FE0 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[392] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[392] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [6E, 71] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6B, 71] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, BA, 00] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, BA, 00] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717B000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7175000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7178000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[668] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7172000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6E, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [92, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7175000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[720] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[720] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[720] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[720] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[720] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[720] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[720] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[720] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[720] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[720] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[720] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[720] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[720] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[720] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[720] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[720] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[720] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[720] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Gizmo\gservice.exe[752] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Gizmo\gservice.exe[752] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Gizmo\gservice.exe[752] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Gizmo\gservice.exe[752] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Gizmo\gservice.exe[752] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Gizmo\gservice.exe[752] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Gizmo\gservice.exe[752] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Gizmo\gservice.exe[752] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Gizmo\gservice.exe[752] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Gizmo\gservice.exe[752] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Gizmo\gservice.exe[752] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Gizmo\gservice.exe[752] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Gizmo\gservice.exe[752] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Gizmo\gservice.exe[752] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\Program Files\Gizmo\gservice.exe[752] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\Program Files\Gizmo\gservice.exe[752] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Gizmo\gservice.exe[752] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Gizmo\gservice.exe[752] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Gizmo\gservice.exe[752] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Gizmo\gservice.exe[752] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\Program Files\Gizmo\gservice.exe[752] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Gizmo\gservice.exe[752] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Gizmo\gservice.exe[752] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Gizmo\gservice.exe[752] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Gizmo\gservice.exe[752] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Program Files\Gizmo\gservice.exe[752] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Program Files\Gizmo\gservice.exe[752] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] KERNEL32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] KERNEL32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe[848] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\System32\smss.exe[1040] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1096] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1096] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1096] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1096] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1096] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1096] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1096] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1096] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1176] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1176] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1176] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1176] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1176] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1176] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1176] rpcss.dll!WhichService 76A64234 8 Bytes [80, 4F, 01, 10, 40, 4D, 01, ...] {OR BYTE [EDI+0x1], 0x10; INC EAX; DEC EBP; ADD [EAX], EDX} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1220] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00403760 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1220] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0044D090 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1220] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1220] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[1288] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 10001970 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\csrss.exe[1288] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\csrss.exe[1288] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[1288] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1296] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1296] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1296] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1296] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1296] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1296] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1296] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe[1332] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1388] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1388] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1388] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1388] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1388] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1388] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1388] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1388] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\winlogon.exe[1460] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1460] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Launch Manager\WisLMSvc.exe[1508] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[1620] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1692] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1692] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1692] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1692] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1692] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\services.exe[1696] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1696] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\services.exe[1696] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1696] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\services.exe[1696] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1696] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\services.exe[1696] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1696] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1696] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\services.exe[1696] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\services.exe[1696] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\services.exe[1696] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\services.exe[1696] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1696] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\services.exe[1696] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\services.exe[1696] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1696] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\services.exe[1696] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\services.exe[1696] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\services.exe[1696] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\services.exe[1696] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\services.exe[1696] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\services.exe[1696] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\services.exe[1696] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\services.exe[1696] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\services.exe[1696] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1800] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1800] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1800] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1800] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1800] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1800] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1800] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1800] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\lsass.exe[1828] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1828] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\lsass.exe[1828] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1828] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [6F, 71] .text C:\WINDOWS\system32\lsass.exe[1828] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1828] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6C, 71] .text C:\WINDOWS\system32\lsass.exe[1828] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1828] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1828] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A2, 71] .text C:\WINDOWS\system32\lsass.exe[1828] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\WINDOWS\system32\lsass.exe[1828] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719A000A .text C:\WINDOWS\system32\lsass.exe[1828] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7197000A .text C:\WINDOWS\system32\lsass.exe[1828] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1828] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\lsass.exe[1828] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\lsass.exe[1828] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 718E000A .text C:\WINDOWS\system32\lsass.exe[1828] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7194000A .text C:\WINDOWS\system32\lsass.exe[1828] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1828] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [90, 71] .text C:\WINDOWS\system32\lsass.exe[1828] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717C000A .text C:\WINDOWS\system32\lsass.exe[1828] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7176000A .text C:\WINDOWS\system32\lsass.exe[1828] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7179000A .text C:\WINDOWS\system32\lsass.exe[1828] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7173000A .text C:\WINDOWS\system32\lsass.exe[1828] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717F000A .text C:\WINDOWS\system32\lsass.exe[1828] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7182000A .text C:\WINDOWS\system32\lsass.exe[1828] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7188000A .text C:\WINDOWS\system32\lsass.exe[1828] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7185000A .text C:\WINDOWS\RTHDCPL.EXE[1992] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[1992] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\RTHDCPL.EXE[1992] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[1992] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [72, 71] {JB 0x73} .text C:\WINDOWS\RTHDCPL.EXE[1992] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[1992] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6F, 71] .text C:\WINDOWS\RTHDCPL.EXE[1992] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[1992] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[1992] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A5, 71] .text C:\WINDOWS\RTHDCPL.EXE[1992] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\WINDOWS\RTHDCPL.EXE[1992] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719D000A .text C:\WINDOWS\RTHDCPL.EXE[1992] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719A000A .text C:\WINDOWS\RTHDCPL.EXE[1992] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[1992] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\RTHDCPL.EXE[1992] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\RTHDCPL.EXE[1992] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7191000A .text C:\WINDOWS\RTHDCPL.EXE[1992] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7197000A .text C:\WINDOWS\RTHDCPL.EXE[1992] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[1992] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [93, 71] .text C:\WINDOWS\RTHDCPL.EXE[1992] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717F000A .text C:\WINDOWS\RTHDCPL.EXE[1992] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7182000A .text C:\WINDOWS\RTHDCPL.EXE[1992] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7185000A .text C:\WINDOWS\RTHDCPL.EXE[1992] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718B000A .text C:\WINDOWS\RTHDCPL.EXE[1992] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7188000A .text C:\WINDOWS\RTHDCPL.EXE[1992] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7179000A .text C:\WINDOWS\RTHDCPL.EXE[1992] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717C000A .text C:\WINDOWS\RTHDCPL.EXE[1992] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7176000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [70, 71] {JO 0x73} .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6D, 71] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A3, 71] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719B000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7198000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, E4, 00] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, E4, 00] {MOV AL, 0x6b; IN AL, 0x0} .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 718F000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7195000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [91, 71] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717D000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7177000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717A000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7174000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7180000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7183000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7189000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2008] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7186000A .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2180] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2180] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [67, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A3, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719B000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7198000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 13, 02] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 13, 02] {MOV AL, 0x6b; ADC EAX, [EDX]} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 718F000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7195000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [91, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7177000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717A000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7183000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7189000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7186000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7171000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7174000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2264] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 716E000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6E, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [92, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7175000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2272] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7187000A .text C:\WINDOWS\System32\alg.exe[2312] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2312] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\System32\alg.exe[2312] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2312] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [6C, 71] .text C:\WINDOWS\System32\alg.exe[2312] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2312] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [69, 71] .text C:\WINDOWS\System32\alg.exe[2312] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2312] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2312] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A3, 71] .text C:\WINDOWS\System32\alg.exe[2312] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\alg.exe[2312] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7197000A .text C:\WINDOWS\System32\alg.exe[2312] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7194000A .text C:\WINDOWS\System32\alg.exe[2312] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2312] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7173000A .text C:\WINDOWS\System32\alg.exe[2312] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7176000A .text C:\WINDOWS\System32\alg.exe[2312] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7170000A .text C:\WINDOWS\System32\alg.exe[2312] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717C000A .text C:\WINDOWS\System32\alg.exe[2312] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 717F000A .text C:\WINDOWS\System32\alg.exe[2312] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7185000A .text C:\WINDOWS\System32\alg.exe[2312] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7182000A .text C:\WINDOWS\System32\alg.exe[2312] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\System32\alg.exe[2312] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\System32\alg.exe[2312] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 718B000A .text C:\WINDOWS\System32\alg.exe[2312] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7191000A .text C:\WINDOWS\System32\alg.exe[2312] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2312] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [8D, 71] .text C:\WINDOWS\System32\alg.exe[2312] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7179000A .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Launch Manager\HotkeyApp.exe[2388] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [6E, 71] .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6B, 71] .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7175000A .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7178000A .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7172000A .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E000A .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\AdTrustMedia\PrivDog\2.1.0.22\trustedadssvc.exe[2508] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2600] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesApp32.exe[2824] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3324] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 004011F0 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3324] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00401000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3324] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3324] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3340] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\Explorer.EXE[3436] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[3436] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\Explorer.EXE[3436] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[3436] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\Explorer.EXE[3436] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[3436] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\Explorer.EXE[3436] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[3436] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[3436] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\Explorer.EXE[3436] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\Explorer.EXE[3436] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\Explorer.EXE[3436] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\Explorer.EXE[3436] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[3436] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\Explorer.EXE[3436] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\Explorer.EXE[3436] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\Explorer.EXE[3436] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\Explorer.EXE[3436] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[3436] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\Explorer.EXE[3436] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\Explorer.EXE[3436] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\Explorer.EXE[3436] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\Explorer.EXE[3436] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\Explorer.EXE[3436] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\Explorer.EXE[3436] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\Explorer.EXE[3436] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\Explorer.EXE[3436] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\_Downloads\5kr3gk0q.exe[4576] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\_Downloads\5kr3gk0q.exe[4576] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\_Downloads\5kr3gk0q.exe[4576] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\_Downloads\5kr3gk0q.exe[4576] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\_Downloads\5kr3gk0q.exe[4576] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\_Downloads\5kr3gk0q.exe[4576] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\_Downloads\5kr3gk0q.exe[4576] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\_Downloads\5kr3gk0q.exe[4576] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\_Downloads\5kr3gk0q.exe[4576] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\_Downloads\5kr3gk0q.exe[4576] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\_Downloads\5kr3gk0q.exe[4576] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\_Downloads\5kr3gk0q.exe[4576] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\_Downloads\5kr3gk0q.exe[4576] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\_Downloads\5kr3gk0q.exe[4576] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\_Downloads\5kr3gk0q.exe[4576] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\_Downloads\5kr3gk0q.exe[4576] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\_Downloads\5kr3gk0q.exe[4576] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\_Downloads\5kr3gk0q.exe[4576] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\_Downloads\5kr3gk0q.exe[4576] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\_Downloads\5kr3gk0q.exe[4576] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\_Downloads\5kr3gk0q.exe[4576] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\_Downloads\5kr3gk0q.exe[4576] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\_Downloads\5kr3gk0q.exe[4576] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\_Downloads\5kr3gk0q.exe[4576] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\_Downloads\5kr3gk0q.exe[4576] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\_Downloads\5kr3gk0q.exe[4576] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\_Downloads\5kr3gk0q.exe[4576] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01CE0120 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 01CC7BFA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 01CDFB80 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 01CC7CF0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 025D9E7B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [73, 71] {JAE 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [70, 71] {JO 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 01CE0BE0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 025D9E2A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 00461F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 004503FC .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] KERNEL32.dll!CreateProcessW 7C802336 6 Bytes JMP 719E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] KERNEL32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719B000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] KERNEL32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 0254837F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] KERNEL32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 0254835C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] KERNEL32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 01CDC8D7 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 0244F724 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7177000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7183000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 025482DD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7186000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7189000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 5B, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 5B, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7192000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7198000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [94, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[4856] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7180000A .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [6E, 71] .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6B, 71] .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A1, 71] .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7199000A .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7196000A .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] advapi32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] advapi32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] advapi32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 718D000A .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] advapi32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7193000A .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] advapi32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] advapi32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [8F, 71] .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717B000A .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E000A .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7181000A .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7187000A .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7184000A .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7175000A .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7178000A .text C:\Program Files\FreeCommander\FreeCommander.exe[4960] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7172000A ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[1696] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[1696] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF4 0xCC 0x41 0xC2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x68 0xA2 0x8B 0xAD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC1 0x8E 0xAC 0x02 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF4 0xCC 0x41 0xC2 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x68 0xA2 0x8B 0xAD ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC1 0x8E 0xAC 0x02 ... ---- EOF - GMER 2.1 ----