GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-12 19:33:36 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD5000AADS-00S9B0 rev.01.00A01 465,76GB Running: e52uh7qf.exe; Driver: C:\Users\ADMIN\AppData\Local\Temp\uwddakob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8FC55AC4] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x8FD12438] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x90A290BA] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x8FD12844] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcCreatePort [0x8FD127F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8FC565A2] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwConnectPort [0x8FD1167E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateEvent [0x8FD10754] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateEventPair [0x8FD107AC] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateFile [0x8FD12066] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8FC62822] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateMutant [0x8FD106FE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreatePort [0x8FD106A6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x90A29494] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSemaphore [0x8FD107FE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x8FD13404] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x90A29724] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x90A2980E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8FC627DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8FC57390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8FC55B2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8FC5AB86] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwLoadDriver [0x8FD12E0A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x8FD11956] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x90A29574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8FC55B90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8FC5AF7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8FC57E78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8FC62666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8FC626AA] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenFile [0x8FD1225E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8FC62846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8FC625D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8FC5A47E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenSection [0x8FD11C0A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8FC6261A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8FC5A86A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8FC62800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x90A29312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8FC57CEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x8FC579FA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8FC55BF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8FC55C5C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x90A29670] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetInformationProcess [0x8FD1262C] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0x8FD1310A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8FC55982] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x8FD118CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8FC5755A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x8FC576BC] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0x8FD11AF6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x90A293E0] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateThread [0x8FD1122C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8FC55CC2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x90A29244] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 83283A35 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832BD392 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 832C45B0 4 Bytes [C4, 5A, C5, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 832C45BC 4 Bytes [38, 24, D1, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 832C45D8 4 Bytes [BA, 90, A2, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 832C45E4 8 Bytes [44, 28, D1, 8F, F2, 27, D1, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 832C4638 4 Bytes [A2, 65, C5, 8F] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\taskhost.exe[476] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[476] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\taskhost.exe[476] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[476] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\taskhost.exe[476] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskhost.exe[476] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[476] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\taskhost.exe[476] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\taskhost.exe[476] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\taskhost.exe[476] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\taskhost.exe[476] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\taskhost.exe[476] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\taskhost.exe[476] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\taskhost.exe[476] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\csrss.exe[484] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 5 Bytes JMP 755D2200 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[484] ntdll.dll!NtReplyWaitReceivePort 77646458 5 Bytes JMP 755D18F0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[484] ntdll.dll!NtReplyWaitReceivePortEx 77646468 5 Bytes JMP 755D1D70 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[564] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 5 Bytes JMP 755D2200 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[564] ntdll.dll!NtReplyWaitReceivePort 77646458 5 Bytes JMP 755D18F0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[564] ntdll.dll!NtReplyWaitReceivePortEx 77646468 5 Bytes JMP 755D1D70 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\services.exe[612] services.exe 00441608 4 Bytes [B0, 3D, 3E, 75] .text C:\Windows\system32\services.exe[612] services.exe 00441618 4 Bytes [90, 41, 3E, 75] .text C:\Windows\system32\services.exe[612] services.exe 00441638 4 Bytes [10, 3B, 3E, 75] .text C:\Windows\system32\services.exe[612] services.exe 00441648 4 Bytes [B0, 3F, 3E, 75] .text C:\Windows\system32\services.exe[612] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[612] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [80, 71] .text C:\Windows\system32\services.exe[612] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[612] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\services.exe[612] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\services.exe[612] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[612] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\services.exe[612] RPCRT4.dll!RpcServerRegisterIfEx 75DF0898 6 Bytes JMP 719C000A .text C:\Windows\system32\services.exe[612] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 7187000A .text C:\Windows\system32\services.exe[612] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 7184000A .text C:\Windows\system32\services.exe[612] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 718A000A .text C:\Windows\system32\services.exe[612] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\services.exe[612] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7193000A .text C:\Windows\system32\services.exe[612] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 7199000A .text C:\Windows\system32\services.exe[612] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7196000A .text C:\Windows\system32\lsass.exe[644] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[644] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\lsass.exe[644] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[644] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\lsass.exe[644] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsass.exe[644] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[644] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\lsass.exe[644] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\lsass.exe[644] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\lsass.exe[644] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\lsass.exe[644] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\lsass.exe[644] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\lsass.exe[644] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\lsass.exe[644] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\lsm.exe[652] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[652] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\lsm.exe[652] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[652] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\lsm.exe[652] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsm.exe[652] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[652] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\lsm.exe[652] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\lsm.exe[652] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\lsm.exe[652] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\lsm.exe[652] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\lsm.exe[652] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\lsm.exe[652] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\lsm.exe[652] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[780] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[780] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [83, 71] .text C:\Windows\system32\svchost.exe[780] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[780] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[780] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[780] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[780] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[780] RPCRT4.dll!RpcServerRegisterIfEx 75DF0898 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[780] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[780] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[780] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[780] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[780] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[780] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[780] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7196000A .text C:\Windows\system32\nvvsvc.exe[864] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[864] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\nvvsvc.exe[864] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[864] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\nvvsvc.exe[864] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\nvvsvc.exe[864] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[864] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\nvvsvc.exe[864] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\nvvsvc.exe[864] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\nvvsvc.exe[864] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\nvvsvc.exe[864] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\nvvsvc.exe[864] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\nvvsvc.exe[864] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\nvvsvc.exe[864] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[908] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[908] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [83, 71] .text C:\Windows\system32\svchost.exe[908] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[908] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[908] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[908] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[908] RPCRT4.dll!RpcServerRegisterIfEx 75DF0898 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[908] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[908] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[908] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[908] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[908] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[908] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[908] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[908] rpcss.dll!CoGetComCatalog 74A735EC 8 Bytes [F0, 32, 3E, 75, B0, 30, 3E, ...] .text C:\Windows\system32\svchost.exe[980] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[980] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\svchost.exe[980] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[980] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[980] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[980] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[980] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[980] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[980] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[980] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[980] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[980] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[980] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[980] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[996] ntdll.dll!NtAllocateVirtualMemory 77645318 5 Bytes JMP 011935A0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[996] ntdll.dll!NtCreateFile 77645608 5 Bytes JMP 01232C80 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Windows\system32\svchost.exe[1044] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1044] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\svchost.exe[1044] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1044] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1044] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1044] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1044] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1044] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1044] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1044] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1044] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1044] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1044] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1044] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\System32\svchost.exe[1092] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1092] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1092] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1092] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1092] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1128] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1128] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\System32\svchost.exe[1128] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1128] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1128] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\System32\svchost.exe[1128] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1128] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1128] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1128] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1128] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1128] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1128] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1168] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1168] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\svchost.exe[1168] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1168] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1168] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1168] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1168] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1168] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1168] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1168] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1168] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1168] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1168] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1200] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1200] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [83, 71] .text C:\Windows\system32\svchost.exe[1200] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1200] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1200] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1200] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1200] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1200] RPCRT4.dll!RpcServerRegisterIfEx 75DF0898 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1200] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1200] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1200] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1200] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1200] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1200] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1200] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1396] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\nvvsvc.exe[1404] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1404] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\nvvsvc.exe[1404] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1404] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\nvvsvc.exe[1404] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\nvvsvc.exe[1404] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1404] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\nvvsvc.exe[1404] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\nvvsvc.exe[1404] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\nvvsvc.exe[1404] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\nvvsvc.exe[1404] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\nvvsvc.exe[1404] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\nvvsvc.exe[1404] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\nvvsvc.exe[1404] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Program Files\AVAST Software\Avast\avastui.exe[1600] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[1600] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\AVAST Software\Avast\avastui.exe[1600] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[1600] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[1600] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\AVAST Software\Avast\avastui.exe[1600] kernel32.dll!SetUnhandledExceptionFilter 770EF5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\avastui.exe[1600] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\avastui.exe[1600] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Program Files\AVAST Software\Avast\avastui.exe[1600] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 7184000A .text C:\Program Files\AVAST Software\Avast\avastui.exe[1600] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 7181000A .text C:\Program Files\AVAST Software\Avast\avastui.exe[1600] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7187000A .text C:\Program Files\AVAST Software\Avast\avastui.exe[1600] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 718D000A .text C:\Program Files\AVAST Software\Avast\avastui.exe[1600] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Program Files\AVAST Software\Avast\avastui.exe[1600] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Program Files\AVAST Software\Avast\avastui.exe[1600] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1644] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1644] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1644] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1644] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1644] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1644] kernel32.dll!SetUnhandledExceptionFilter 770EF5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1644] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1644] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1644] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1644] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1644] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1644] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1644] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1644] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1644] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\Dwm.exe[1692] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1692] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\Dwm.exe[1692] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1692] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\Dwm.exe[1692] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\Dwm.exe[1692] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1692] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\Dwm.exe[1692] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\Dwm.exe[1692] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\Dwm.exe[1692] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\Dwm.exe[1692] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\Dwm.exe[1692] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\Dwm.exe[1692] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\Dwm.exe[1692] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [80, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 718D000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 7187000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 7184000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 718A000A .text C:\Windows\system32\taskeng.exe[1708] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1708] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\taskeng.exe[1708] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1708] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\taskeng.exe[1708] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskeng.exe[1708] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1708] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\taskeng.exe[1708] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\taskeng.exe[1708] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\taskeng.exe[1708] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\taskeng.exe[1708] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\taskeng.exe[1708] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\taskeng.exe[1708] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\taskeng.exe[1708] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Program Files\Windows Sidebar\sidebar.exe[1732] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Sidebar\sidebar.exe[1732] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Program Files\Windows Sidebar\sidebar.exe[1732] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Sidebar\sidebar.exe[1732] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Program Files\Windows Sidebar\sidebar.exe[1732] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Windows Sidebar\sidebar.exe[1732] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Sidebar\sidebar.exe[1732] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Program Files\Windows Sidebar\sidebar.exe[1732] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Program Files\Windows Sidebar\sidebar.exe[1732] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Program Files\Windows Sidebar\sidebar.exe[1732] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Program Files\Windows Sidebar\sidebar.exe[1732] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Program Files\Windows Sidebar\sidebar.exe[1732] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Program Files\Windows Sidebar\sidebar.exe[1732] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Program Files\Windows Sidebar\sidebar.exe[1732] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\System32\spoolsv.exe[1816] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1816] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\System32\spoolsv.exe[1816] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1816] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\System32\spoolsv.exe[1816] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\spoolsv.exe[1816] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1816] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\System32\spoolsv.exe[1816] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\System32\spoolsv.exe[1816] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\System32\spoolsv.exe[1816] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\System32\spoolsv.exe[1816] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\System32\spoolsv.exe[1816] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\System32\spoolsv.exe[1816] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\System32\spoolsv.exe[1816] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\notepad.exe[1860] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[1860] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\notepad.exe[1860] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[1860] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\notepad.exe[1860] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\notepad.exe[1860] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[1860] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\notepad.exe[1860] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\notepad.exe[1860] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\notepad.exe[1860] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\notepad.exe[1860] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\notepad.exe[1860] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\notepad.exe[1860] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\notepad.exe[1860] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1936] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1936] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [83, 71] .text C:\Windows\system32\svchost.exe[1936] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1936] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1936] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1936] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1936] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1936] RPCRT4.dll!RpcServerRegisterIfEx 75DF0898 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1936] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1936] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1936] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1936] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1936] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1936] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1936] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[2308] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2308] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [83, 71] .text C:\Windows\Explorer.EXE[2308] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2308] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\Explorer.EXE[2308] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\Explorer.EXE[2308] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2308] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\Explorer.EXE[2308] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\Explorer.EXE[2308] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[2308] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\Explorer.EXE[2308] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\Explorer.EXE[2308] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718A000A .text C:\Windows\Explorer.EXE[2308] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 7187000A .text C:\Windows\Explorer.EXE[2308] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 718D000A .text C:\Windows\System32\alg.exe[2712] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\alg.exe[2712] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\System32\alg.exe[2712] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\alg.exe[2712] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\System32\alg.exe[2712] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\alg.exe[2712] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\alg.exe[2712] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\System32\alg.exe[2712] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\System32\alg.exe[2712] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\System32\alg.exe[2712] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\System32\alg.exe[2712] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\System32\alg.exe[2712] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\System32\alg.exe[2712] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\System32\alg.exe[2712] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2812] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2812] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2812] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2812] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2812] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2812] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2812] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2812] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2812] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2812] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2812] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2812] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2812] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe[2812] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[2956] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2956] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\svchost.exe[2956] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2956] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2956] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[2956] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2956] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[2956] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[2956] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[2956] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[2956] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[2956] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[2956] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[2956] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[3028] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3028] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\svchost.exe[3028] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3028] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[3028] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[3028] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3028] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[3028] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[3028] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[3028] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[3028] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[3028] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[3028] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[3028] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\vssvc.exe[3388] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\vssvc.exe[3388] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\vssvc.exe[3388] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\vssvc.exe[3388] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\vssvc.exe[3388] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\vssvc.exe[3388] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\vssvc.exe[3388] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\vssvc.exe[3388] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\vssvc.exe[3388] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\vssvc.exe[3388] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\vssvc.exe[3388] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\vssvc.exe[3388] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\vssvc.exe[3388] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\vssvc.exe[3388] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[3464] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[3464] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\System32\svchost.exe[3464] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[3464] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[3464] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[3464] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[3464] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\System32\svchost.exe[3464] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[3464] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[3464] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[3464] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[3464] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[3464] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[3464] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\SearchIndexer.exe[3500] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[3500] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\SearchIndexer.exe[3500] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[3500] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\SearchIndexer.exe[3500] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchIndexer.exe[3500] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[3500] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\SearchIndexer.exe[3500] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\SearchIndexer.exe[3500] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\SearchIndexer.exe[3500] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\SearchIndexer.exe[3500] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchIndexer.exe[3500] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchIndexer.exe[3500] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchIndexer.exe[3500] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3768] ntdll.dll!NtAllocateVirtualMemory 77645318 5 Bytes JMP 00311210 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3768] ntdll.dll!NtCreateFile 77645608 5 Bytes JMP 00311000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3820] ntdll.dll!NtAllocateVirtualMemory 77645318 5 Bytes JMP 00DA2CC0 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text C:\Windows\system32\wbem\unsecapp.exe[4124] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\unsecapp.exe[4124] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\wbem\unsecapp.exe[4124] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\unsecapp.exe[4124] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\wbem\unsecapp.exe[4124] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\wbem\unsecapp.exe[4124] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\unsecapp.exe[4124] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\wbem\unsecapp.exe[4124] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\wbem\unsecapp.exe[4124] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\wbem\unsecapp.exe[4124] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\wbem\unsecapp.exe[4124] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\wbem\unsecapp.exe[4124] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\wbem\unsecapp.exe[4124] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\wbem\unsecapp.exe[4124] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\wbem\wmiprvse.exe[4208] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\wmiprvse.exe[4208] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\wbem\wmiprvse.exe[4208] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\wmiprvse.exe[4208] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\wbem\wmiprvse.exe[4208] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\wbem\wmiprvse.exe[4208] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\wmiprvse.exe[4208] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\wbem\wmiprvse.exe[4208] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\wbem\wmiprvse.exe[4208] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\wbem\wmiprvse.exe[4208] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\wbem\wmiprvse.exe[4208] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\wbem\wmiprvse.exe[4208] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\wbem\wmiprvse.exe[4208] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\wbem\wmiprvse.exe[4208] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[4324] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[4324] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\System32\svchost.exe[4324] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[4324] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[4324] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[4324] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[4324] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\System32\svchost.exe[4324] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[4324] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[4324] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[4324] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[4324] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[4324] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[4324] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\notepad.exe[4356] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[4356] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\notepad.exe[4356] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[4356] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\notepad.exe[4356] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\notepad.exe[4356] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[4356] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\notepad.exe[4356] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\notepad.exe[4356] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\notepad.exe[4356] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\notepad.exe[4356] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\notepad.exe[4356] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\notepad.exe[4356] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\notepad.exe[4356] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Users\ADMIN\Desktop\e52uh7qf.exe[4556] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Users\ADMIN\Desktop\e52uh7qf.exe[4556] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Users\ADMIN\Desktop\e52uh7qf.exe[4556] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Users\ADMIN\Desktop\e52uh7qf.exe[4556] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Users\ADMIN\Desktop\e52uh7qf.exe[4556] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Users\ADMIN\Desktop\e52uh7qf.exe[4556] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Users\ADMIN\Desktop\e52uh7qf.exe[4556] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Users\ADMIN\Desktop\e52uh7qf.exe[4556] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Users\ADMIN\Desktop\e52uh7qf.exe[4556] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Users\ADMIN\Desktop\e52uh7qf.exe[4556] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Users\ADMIN\Desktop\e52uh7qf.exe[4556] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Users\ADMIN\Desktop\e52uh7qf.exe[4556] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Users\ADMIN\Desktop\e52uh7qf.exe[4556] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Users\ADMIN\Desktop\e52uh7qf.exe[4556] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4880] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4880] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4880] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4880] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4880] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4880] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4880] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4880] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4880] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4880] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4880] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4880] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4880] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4880] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\AUDIODG.EXE[5384] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[5384] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\AUDIODG.EXE[5384] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[5384] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\AUDIODG.EXE[5384] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\AUDIODG.EXE[5384] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[5384] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\AUDIODG.EXE[5384] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718C001E .text C:\Windows\system32\AUDIODG.EXE[5384] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 7189001E .text C:\Windows\system32\AUDIODG.EXE[5384] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 718F001E .text C:\Windows\system32\AUDIODG.EXE[5384] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7192001E .text C:\Windows\system32\AUDIODG.EXE[5384] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7195001E .text C:\Windows\system32\AUDIODG.EXE[5384] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719B001E .text C:\Windows\system32\AUDIODG.EXE[5384] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7198001E .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [85, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] ntdll.dll!NtCreateFile 77645608 5 Bytes JMP 59D89440 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] ntdll.dll!NtFlushBuffersFile 77645998 5 Bytes JMP 59A77CC9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] ntdll.dll!NtQueryFullAttributesFile 77646028 5 Bytes JMP 59A77F40 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] ntdll.dll!NtReadFile 776462F8 5 Bytes JMP 59A77D20 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] ntdll.dll!NtReadFileScatter 77646308 5 Bytes JMP 5A6E7D51 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] ntdll.dll!NtWriteFile 77646AA8 5 Bytes JMP 59D8A3D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] ntdll.dll!NtWriteFileGather 77646AB8 5 Bytes JMP 5A6E7D00 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] ntdll.dll!LdrUnloadDll 7765C8DE 5 Bytes JMP 000E03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] ntdll.dll!LdrLoadDll 776622AE 5 Bytes JMP 6B411F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] KERNEL32.dll!K32GetDeviceDriverBaseNameW + 5D 770E94E6 7 Bytes JMP 5A62923C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] KERNEL32.dll!QueryPerformanceCounter + 13 770EC4E5 7 Bytes JMP 5A62925F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] KERNEL32.dll!LoadAppInitDlls + 355 770EF5A6 7 Bytes JMP 59D85E74 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] KERNEL32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] KERNEL32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9D, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 7189000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] USER32.dll!GetWindowInfo 76E44B5E 5 Bytes JMP 5A52AF4C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 718F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7192000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] GDI32.dll!GetViewportOrgEx + 26C 75D8884B 7 Bytes JMP 5A6291BD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7195000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719B000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5404] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7198000A .text C:\Windows\notepad.exe[5412] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[5412] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\notepad.exe[5412] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[5412] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\notepad.exe[5412] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\notepad.exe[5412] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[5412] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\notepad.exe[5412] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\notepad.exe[5412] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\notepad.exe[5412] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\notepad.exe[5412] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\notepad.exe[5412] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\notepad.exe[5412] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\notepad.exe[5412] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\notepad.exe[5560] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[5560] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\notepad.exe[5560] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[5560] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\notepad.exe[5560] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\notepad.exe[5560] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[5560] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\notepad.exe[5560] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\notepad.exe[5560] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\notepad.exe[5560] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\notepad.exe[5560] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\notepad.exe[5560] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\notepad.exe[5560] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\notepad.exe[5560] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A .text C:\Windows\system32\notepad.exe[6052] ntdll.dll!NtAlpcSendWaitReceivePort 77645458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[6052] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7764545C 2 Bytes [86, 71] .text C:\Windows\system32\notepad.exe[6052] ntdll.dll!NtClose 77645508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[6052] ntdll.dll!NtClose + 4 7764550C 2 Bytes [AE, 71] .text C:\Windows\system32\notepad.exe[6052] ntdll.dll!LdrUnloadDll 7765C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\notepad.exe[6052] kernel32.dll!CreateProcessInternalW 770F0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[6052] kernel32.dll!CreateProcessInternalW + 4 770F0856 2 Bytes [9E, 71] .text C:\Windows\system32\notepad.exe[6052] GDI32.dll!DeleteDC 75D86EAA 6 Bytes JMP 7193000A .text C:\Windows\system32\notepad.exe[6052] GDI32.dll!GetPixel 75D8C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\notepad.exe[6052] GDI32.dll!CreateDCA 75D8CCA9 6 Bytes JMP 719C000A .text C:\Windows\system32\notepad.exe[6052] GDI32.dll!CreateDCW 75D8CF79 6 Bytes JMP 7199000A .text C:\Windows\system32\notepad.exe[6052] USER32.dll!SetWindowsHookExW 76E3E30C 6 Bytes JMP 718D000A .text C:\Windows\system32\notepad.exe[6052] USER32.dll!SetWinEventHook 76E424DC 6 Bytes JMP 718A000A .text C:\Windows\system32\notepad.exe[6052] USER32.dll!SetWindowsHookExA 76E66D0C 6 Bytes JMP 7190000A ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@CBBB23A3 546 ---- EOF - GMER 2.1 ----