GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-10 16:18:03 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-e WDC_WD5003AZEX-00MK2A0 rev.01.01A01 465,76GB Running: hxi9sqt0.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\pgtdqpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xB46F7F04] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwClose [0xB46F95D6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0xB46F714A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateEvent [0xB46F6220] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateEventPair [0xB46F6278] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xB46F7B32] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateKey [0xB46F8B3A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateMutant [0xB46F61CA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreatePort [0xB46F6172] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSection [0xB46F784E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSemaphore [0xB46F62CA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xB46FA8AC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread [0xB46F6AF4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteKey [0xB46F82BE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteValueKey [0xB46F8534] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDuplicateObject [0xB46F68DE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateKey [0xB46F96EC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateValueKey [0xB46F9900] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0xB46FA2B2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xB46F7422] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeKey [0xB46FAB7E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeMultipleKeys [0xB46F94AA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xB46F7D2A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenKey [0xB46F8A1C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenProcess [0xB46F6322] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0xB46F76D6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenThread [0xB46F662E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryKey [0xB46F9A72] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xB46F9D26] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryValueKey [0xB46F9BA4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRenameKey [0xB46F9198] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetInformationProcess [0xB46F80F8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSecurityObject [0xB46F8840] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0xB46FA5B2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetValueKey [0xB46F8E56] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0xB46F7398] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0xB46F75C2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateProcess [0xB46F6F2A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread [0xB46F6CF8] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D14 805045FC 12 Bytes [20, 62, 6F, B4, 78, 62, 6F, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2D50 80504638 16 Bytes [4E, 78, 6F, B4, CA, 62, 6F, ...] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB712C3C0, 0x83E20A, 0xE8000020] ? C:\WINDOWS\system32\Drivers\PROCEXP141.SYS Nie można odnaleźć określonego pliku. ! ? System32\Drivers\hiber_WMILIB.SYS System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\HPSIsvc.exe[288] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPSIsvc.exe[288] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\HPSIsvc.exe[288] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPSIsvc.exe[288] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\HPSIsvc.exe[288] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPSIsvc.exe[288] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\HPSIsvc.exe[288] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPSIsvc.exe[288] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\HPSIsvc.exe[288] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\HPSIsvc.exe[288] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPSIsvc.exe[288] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\HPSIsvc.exe[288] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPSIsvc.exe[288] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\HPSIsvc.exe[288] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\HPSIsvc.exe[288] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\HPSIsvc.exe[288] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\system32\HPSIsvc.exe[288] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\system32\HPSIsvc.exe[288] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\HPSIsvc.exe[288] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\HPSIsvc.exe[288] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\HPSIsvc.exe[288] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\HPSIsvc.exe[288] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\HPSIsvc.exe[288] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\HPSIsvc.exe[288] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\srvany.exe[508] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\srvany.exe[508] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\srvany.exe[508] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\srvany.exe[508] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\srvany.exe[508] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\srvany.exe[508] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\srvany.exe[508] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\srvany.exe[508] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\srvany.exe[508] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\srvany.exe[508] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\srvany.exe[508] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\srvany.exe[508] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\srvany.exe[508] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\srvany.exe[508] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\srvany.exe[508] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\srvany.exe[508] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\srvany.exe[508] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\srvany.exe[508] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\srvany.exe[508] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\srvany.exe[508] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\srvany.exe[508] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\srvany.exe[508] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\srvany.exe[508] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\system32\srvany.exe[508] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\KMService.exe[584] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\KMService.exe[584] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\KMService.exe[584] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\KMService.exe[584] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\KMService.exe[584] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\KMService.exe[584] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\KMService.exe[584] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\KMService.exe[584] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\KMService.exe[584] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\KMService.exe[584] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\KMService.exe[584] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\KMService.exe[584] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\KMService.exe[584] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\KMService.exe[584] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\KMService.exe[584] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\KMService.exe[584] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\KMService.exe[584] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\KMService.exe[584] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\KMService.exe[584] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\KMService.exe[584] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\KMService.exe[584] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\KMService.exe[584] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [73, 71] {JAE 0x73} .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [70, 71] {JO 0x73} .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [97, 71] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [82, 71] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7180000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7186000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717A000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717D000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7177000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7189000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718C000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7192000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718F000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[608] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text c:\postgreSQL\bin\postgres.exe[800] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[800] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text c:\postgreSQL\bin\postgres.exe[800] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[800] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [76, 71] {JBE 0x73} .text c:\postgreSQL\bin\postgres.exe[800] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[800] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [73, 71] {JAE 0x73} .text c:\postgreSQL\bin\postgres.exe[800] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[800] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A3, 71] .text c:\postgreSQL\bin\postgres.exe[800] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text c:\postgreSQL\bin\postgres.exe[800] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[800] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text c:\postgreSQL\bin\postgres.exe[800] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[800] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [85, 71] .text c:\postgreSQL\bin\postgres.exe[800] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7183000A .text c:\postgreSQL\bin\postgres.exe[800] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7189000A .text c:\postgreSQL\bin\postgres.exe[800] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text c:\postgreSQL\bin\postgres.exe[800] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text c:\postgreSQL\bin\postgres.exe[800] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text c:\postgreSQL\bin\postgres.exe[800] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text c:\postgreSQL\bin\postgres.exe[800] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717D000A .text c:\postgreSQL\bin\postgres.exe[800] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7180000A .text c:\postgreSQL\bin\postgres.exe[800] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717A000A .text c:\postgreSQL\bin\postgres.exe[812] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[812] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text c:\postgreSQL\bin\postgres.exe[812] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[812] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [76, 71] {JBE 0x73} .text c:\postgreSQL\bin\postgres.exe[812] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[812] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [73, 71] {JAE 0x73} .text c:\postgreSQL\bin\postgres.exe[812] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[812] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A3, 71] .text c:\postgreSQL\bin\postgres.exe[812] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text c:\postgreSQL\bin\postgres.exe[812] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[812] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text c:\postgreSQL\bin\postgres.exe[812] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[812] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [85, 71] .text c:\postgreSQL\bin\postgres.exe[812] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7183000A .text c:\postgreSQL\bin\postgres.exe[812] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7189000A .text c:\postgreSQL\bin\postgres.exe[812] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text c:\postgreSQL\bin\postgres.exe[812] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text c:\postgreSQL\bin\postgres.exe[812] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text c:\postgreSQL\bin\postgres.exe[812] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text c:\postgreSQL\bin\postgres.exe[812] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717D000A .text c:\postgreSQL\bin\postgres.exe[812] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7180000A .text c:\postgreSQL\bin\postgres.exe[812] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717A000A .text c:\postgreSQL\bin\postgres.exe[820] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[820] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text c:\postgreSQL\bin\postgres.exe[820] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[820] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [76, 71] {JBE 0x73} .text c:\postgreSQL\bin\postgres.exe[820] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[820] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [73, 71] {JAE 0x73} .text c:\postgreSQL\bin\postgres.exe[820] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[820] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A3, 71] .text c:\postgreSQL\bin\postgres.exe[820] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text c:\postgreSQL\bin\postgres.exe[820] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[820] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text c:\postgreSQL\bin\postgres.exe[820] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[820] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [85, 71] .text c:\postgreSQL\bin\postgres.exe[820] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7183000A .text c:\postgreSQL\bin\postgres.exe[820] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7189000A .text c:\postgreSQL\bin\postgres.exe[820] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text c:\postgreSQL\bin\postgres.exe[820] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text c:\postgreSQL\bin\postgres.exe[820] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text c:\postgreSQL\bin\postgres.exe[820] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text c:\postgreSQL\bin\postgres.exe[820] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717D000A .text c:\postgreSQL\bin\postgres.exe[820] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7180000A .text c:\postgreSQL\bin\postgres.exe[820] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717A000A .text c:\postgreSQL\bin\postgres.exe[868] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[868] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text c:\postgreSQL\bin\postgres.exe[868] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[868] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [76, 71] {JBE 0x73} .text c:\postgreSQL\bin\postgres.exe[868] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[868] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [73, 71] {JAE 0x73} .text c:\postgreSQL\bin\postgres.exe[868] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[868] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A3, 71] .text c:\postgreSQL\bin\postgres.exe[868] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text c:\postgreSQL\bin\postgres.exe[868] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[868] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text c:\postgreSQL\bin\postgres.exe[868] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[868] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [85, 71] .text c:\postgreSQL\bin\postgres.exe[868] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7183000A .text c:\postgreSQL\bin\postgres.exe[868] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7189000A .text c:\postgreSQL\bin\postgres.exe[868] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text c:\postgreSQL\bin\postgres.exe[868] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text c:\postgreSQL\bin\postgres.exe[868] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text c:\postgreSQL\bin\postgres.exe[868] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text c:\postgreSQL\bin\postgres.exe[868] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717D000A .text c:\postgreSQL\bin\postgres.exe[868] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7180000A .text c:\postgreSQL\bin\postgres.exe[868] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717A000A .text C:\WINDOWS\system32\csrss.exe[884] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\csrss.exe[884] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 10001D70 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[964] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[964] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[964] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[964] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[964] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[964] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[964] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text c:\postgreSQL\bin\postgres.exe[1032] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[1032] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text c:\postgreSQL\bin\postgres.exe[1032] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[1032] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [76, 71] {JBE 0x73} .text c:\postgreSQL\bin\postgres.exe[1032] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[1032] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [73, 71] {JAE 0x73} .text c:\postgreSQL\bin\postgres.exe[1032] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[1032] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A3, 71] .text c:\postgreSQL\bin\postgres.exe[1032] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text c:\postgreSQL\bin\postgres.exe[1032] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[1032] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text c:\postgreSQL\bin\postgres.exe[1032] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\postgres.exe[1032] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [85, 71] .text c:\postgreSQL\bin\postgres.exe[1032] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7183000A .text c:\postgreSQL\bin\postgres.exe[1032] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7189000A .text c:\postgreSQL\bin\postgres.exe[1032] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text c:\postgreSQL\bin\postgres.exe[1032] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text c:\postgreSQL\bin\postgres.exe[1032] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text c:\postgreSQL\bin\postgres.exe[1032] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text c:\postgreSQL\bin\postgres.exe[1032] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717D000A .text c:\postgreSQL\bin\postgres.exe[1032] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7180000A .text c:\postgreSQL\bin\postgres.exe[1032] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717A000A .text C:\WINDOWS\system32\nvsvc32.exe[1060] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[1060] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\nvsvc32.exe[1060] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[1060] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\nvsvc32.exe[1060] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[1060] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\nvsvc32.exe[1060] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[1060] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\nvsvc32.exe[1060] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\nvsvc32.exe[1060] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[1060] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\nvsvc32.exe[1060] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[1060] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\nvsvc32.exe[1060] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\nvsvc32.exe[1060] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\nvsvc32.exe[1060] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\system32\nvsvc32.exe[1060] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\system32\nvsvc32.exe[1060] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\nvsvc32.exe[1060] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\nvsvc32.exe[1060] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\nvsvc32.exe[1060] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\nvsvc32.exe[1060] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\nvsvc32.exe[1060] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\nvsvc32.exe[1060] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\services.exe[1124] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\services.exe[1124] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\services.exe[1124] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\services.exe[1124] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\services.exe[1124] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\services.exe[1124] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\services.exe[1124] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\services.exe[1124] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\lsass.exe[1136] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1136] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\lsass.exe[1136] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1136] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [75, 71] {JNZ 0x73} .text C:\WINDOWS\system32\lsass.exe[1136] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1136] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [72, 71] {JB 0x73} .text C:\WINDOWS\system32\lsass.exe[1136] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1136] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A2, 71] .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [99, 71] .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [84, 71] .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7182000A .text C:\WINDOWS\system32\lsass.exe[1136] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7188000A .text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\system32\lsass.exe[1136] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\system32\lsass.exe[1136] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717C000A .text C:\WINDOWS\system32\lsass.exe[1136] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717F000A .text C:\WINDOWS\system32\lsass.exe[1136] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7179000A .text C:\WINDOWS\system32\lsass.exe[1136] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718B000A .text C:\WINDOWS\system32\lsass.exe[1136] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718E000A .text C:\WINDOWS\system32\lsass.exe[1136] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7194000A .text C:\WINDOWS\system32\lsass.exe[1136] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7191000A .text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1376] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1376] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1376] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1376] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1376] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1476] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1476] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1476] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1476] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1476] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1476] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1476] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1476] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1476] rpcss.dll!WhichService 76A64234 8 Bytes [70, 92, 01, 10, 30, 90, 01, ...] .text c:\postgreSQL\bin\pg_ctl.exe[1540] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\pg_ctl.exe[1540] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text c:\postgreSQL\bin\pg_ctl.exe[1540] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\pg_ctl.exe[1540] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [76, 71] {JBE 0x73} .text c:\postgreSQL\bin\pg_ctl.exe[1540] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\pg_ctl.exe[1540] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [73, 71] {JAE 0x73} .text c:\postgreSQL\bin\pg_ctl.exe[1540] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\pg_ctl.exe[1540] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A3, 71] .text c:\postgreSQL\bin\pg_ctl.exe[1540] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text c:\postgreSQL\bin\pg_ctl.exe[1540] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\pg_ctl.exe[1540] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text c:\postgreSQL\bin\pg_ctl.exe[1540] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text c:\postgreSQL\bin\pg_ctl.exe[1540] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [85, 71] .text c:\postgreSQL\bin\pg_ctl.exe[1540] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7183000A .text c:\postgreSQL\bin\pg_ctl.exe[1540] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7189000A .text c:\postgreSQL\bin\pg_ctl.exe[1540] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, D0, 00] .text c:\postgreSQL\bin\pg_ctl.exe[1540] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, D0, 00] {MOV AL, 0xae; ROL BYTE [EAX], 0x1} .text c:\postgreSQL\bin\pg_ctl.exe[1540] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text c:\postgreSQL\bin\pg_ctl.exe[1540] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text c:\postgreSQL\bin\pg_ctl.exe[1540] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text c:\postgreSQL\bin\pg_ctl.exe[1540] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text c:\postgreSQL\bin\pg_ctl.exe[1540] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717D000A .text c:\postgreSQL\bin\pg_ctl.exe[1540] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7180000A .text c:\postgreSQL\bin\pg_ctl.exe[1540] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717A000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1572] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 0040E6A0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1572] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 004B76C0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1572] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 004B75D0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\WINDOWS\system32\svchost.exe[1624] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1624] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1624] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1624] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1624] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1624] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1624] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1624] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1624] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1624] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1624] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1624] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1624] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1624] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1624] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1624] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[1760] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00431A90 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text C:\WINDOWS\System32\svhost.exe[1764] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svhost.exe[1764] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\System32\svhost.exe[1764] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svhost.exe[1764] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\System32\svhost.exe[1764] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svhost.exe[1764] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\System32\svhost.exe[1764] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svhost.exe[1764] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\System32\svhost.exe[1764] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\svhost.exe[1764] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svhost.exe[1764] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\System32\svhost.exe[1764] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svhost.exe[1764] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\System32\svhost.exe[1764] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\System32\svhost.exe[1764] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\System32\svhost.exe[1764] user32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\System32\svhost.exe[1764] user32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\System32\svhost.exe[1764] user32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\System32\svhost.exe[1764] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\System32\svhost.exe[1764] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\System32\svhost.exe[1764] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\System32\svhost.exe[1764] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1772] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1772] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1772] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1772] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1772] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1772] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1772] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1772] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1772] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1772] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1772] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1772] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1772] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1772] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1772] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1772] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 5 Bytes JMP 390085A4 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[2004] ole32.dll!OleLoadFromStream 7751988B 5 Bytes JMP 395E940D C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll .text C:\WINDOWS\system32\spoolsv.exe[2024] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[2024] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\spoolsv.exe[2024] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[2024] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\spoolsv.exe[2024] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[2024] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\spoolsv.exe[2024] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[2024] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\spoolsv.exe[2024] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\spoolsv.exe[2024] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[2024] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\spoolsv.exe[2024] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[2024] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\spoolsv.exe[2024] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\spoolsv.exe[2024] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\spoolsv.exe[2024] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\system32\spoolsv.exe[2024] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\system32\spoolsv.exe[2024] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\spoolsv.exe[2024] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\spoolsv.exe[2024] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\spoolsv.exe[2024] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\spoolsv.exe[2024] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\spoolsv.exe[2024] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\spoolsv.exe[2024] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [76, 71] {JBE 0x73} .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [73, 71] {JAE 0x73} .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A3, 71] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [85, 71] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7183000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7189000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717D000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7180000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[2088] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717A000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [71, 71] {JNO 0x73} .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6E, 71] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9B, 71] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [80, 71] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 717E000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7184000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7187000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7178000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717B000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\uTorrent.exe[2184] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7175000A .text C:\WINDOWS\explorer.exe[2384] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\explorer.exe[2384] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\explorer.exe[2384] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\explorer.exe[2384] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\explorer.exe[2384] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\explorer.exe[2384] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\explorer.exe[2384] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\explorer.exe[2384] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\explorer.exe[2384] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\explorer.exe[2384] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\explorer.exe[2384] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\explorer.exe[2384] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\explorer.exe[2384] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\explorer.exe[2384] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\explorer.exe[2384] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\explorer.exe[2384] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\explorer.exe[2384] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\explorer.exe[2384] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\explorer.exe[2384] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\explorer.exe[2384] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\explorer.exe[2384] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\explorer.exe[2384] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\explorer.exe[2384] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\explorer.exe[2384] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[2916] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[2916] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[2916] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[2916] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[2916] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[2916] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[2916] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[2916] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[2916] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[2916] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[2916] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[2916] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[2916] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[2916] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[2916] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[2916] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\system32\svchost.exe[2916] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[2916] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[2916] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[2916] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[2916] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[2916] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[2916] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[2916] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\MagicHoldem\MagicHoldem_service.exe[3116] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\HUD_main.exe[3212] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Documents and Settings\Administrator\Pulpit\Poker\pyfpdb\fpdb.exe[3264] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3596] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3608] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\System32\svchost.exe[3672] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[3672] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\System32\svchost.exe[3672] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[3672] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\System32\svchost.exe[3672] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[3672] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\System32\svchost.exe[3672] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[3672] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\System32\svchost.exe[3672] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\svchost.exe[3672] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[3672] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\System32\svchost.exe[3672] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[3672] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\System32\svchost.exe[3672] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\System32\svchost.exe[3672] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\System32\svchost.exe[3672] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\System32\svchost.exe[3672] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\System32\svchost.exe[3672] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\System32\svchost.exe[3672] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\System32\svchost.exe[3672] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\System32\svchost.exe[3672] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\System32\svchost.exe[3672] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\System32\svchost.exe[3672] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\System32\svchost.exe[3672] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Documents and Settings\Administrator\Dane aplikacji\uTorrent\updates\3.4.5_41372\utorrentie.exe[3768] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [75, 71] {JNZ 0x73} .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [72, 71] {JB 0x73} .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A2, 71] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [99, 71] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [84, 71] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7182000A .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7188000A .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717C000A .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717F000A .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7179000A .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718B000A .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718E000A .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7194000A .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[3864] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7191000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3908] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00402960 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3908] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00402710 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3908] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 00402620 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 0352A7DC C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4360] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Programy_\PokerStars2\PokerStars.exe[7024] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\PokerStars.exe[7024] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Programy_\PokerStars2\PokerStars.exe[7024] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\PokerStars.exe[7024] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [76, 71] {JBE 0x73} .text C:\Programy_\PokerStars2\PokerStars.exe[7024] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\PokerStars.exe[7024] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [73, 71] {JAE 0x73} .text C:\Programy_\PokerStars2\PokerStars.exe[7024] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\PokerStars.exe[7024] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A3, 71] .text C:\Programy_\PokerStars2\PokerStars.exe[7024] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Programy_\PokerStars2\PokerStars.exe[7024] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\PokerStars.exe[7024] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text C:\Programy_\PokerStars2\PokerStars.exe[7024] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\PokerStars.exe[7024] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [85, 71] .text C:\Programy_\PokerStars2\PokerStars.exe[7024] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7183000A .text C:\Programy_\PokerStars2\PokerStars.exe[7024] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7189000A .text C:\Programy_\PokerStars2\PokerStars.exe[7024] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Programy_\PokerStars2\PokerStars.exe[7024] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Programy_\PokerStars2\PokerStars.exe[7024] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text C:\Programy_\PokerStars2\PokerStars.exe[7024] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text C:\Programy_\PokerStars2\PokerStars.exe[7024] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text C:\Programy_\PokerStars2\PokerStars.exe[7024] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text C:\Programy_\PokerStars2\PokerStars.exe[7024] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717D000A .text C:\Programy_\PokerStars2\PokerStars.exe[7024] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7180000A .text C:\Programy_\PokerStars2\PokerStars.exe[7024] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717A000A .text C:\Programy_\AIMP3\AIMP3.exe[7344] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Programy_\AIMP3\AIMP3.exe[7344] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Programy_\AIMP3\AIMP3.exe[7344] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Programy_\AIMP3\AIMP3.exe[7344] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [78, 71] {JS 0x73} .text C:\Programy_\AIMP3\AIMP3.exe[7344] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Programy_\AIMP3\AIMP3.exe[7344] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [75, 71] {JNZ 0x73} .text C:\Programy_\AIMP3\AIMP3.exe[7344] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Programy_\AIMP3\AIMP3.exe[7344] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A5, 71] .text C:\Programy_\AIMP3\AIMP3.exe[7344] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\Programy_\AIMP3\AIMP3.exe[7344] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Programy_\AIMP3\AIMP3.exe[7344] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9C, 71] .text C:\Programy_\AIMP3\AIMP3.exe[7344] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Programy_\AIMP3\AIMP3.exe[7344] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [87, 71] .text C:\Programy_\AIMP3\AIMP3.exe[7344] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7185000A .text C:\Programy_\AIMP3\AIMP3.exe[7344] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718B000A .text C:\Programy_\AIMP3\AIMP3.exe[7344] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, A4, 01] .text C:\Programy_\AIMP3\AIMP3.exe[7344] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, A4, 01] .text C:\Programy_\AIMP3\AIMP3.exe[7344] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718E000A .text C:\Programy_\AIMP3\AIMP3.exe[7344] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7191000A .text C:\Programy_\AIMP3\AIMP3.exe[7344] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7197000A .text C:\Programy_\AIMP3\AIMP3.exe[7344] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7194000A .text C:\Programy_\AIMP3\AIMP3.exe[7344] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717F000A .text C:\Programy_\AIMP3\AIMP3.exe[7344] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7182000A .text C:\Programy_\AIMP3\AIMP3.exe[7344] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717C000A .text C:\Programy_\PokerStars2\gameutil2.exe[7432] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\gameutil2.exe[7432] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Programy_\PokerStars2\gameutil2.exe[7432] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\gameutil2.exe[7432] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [76, 71] {JBE 0x73} .text C:\Programy_\PokerStars2\gameutil2.exe[7432] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\gameutil2.exe[7432] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [73, 71] {JAE 0x73} .text C:\Programy_\PokerStars2\gameutil2.exe[7432] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\gameutil2.exe[7432] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A3, 71] .text C:\Programy_\PokerStars2\gameutil2.exe[7432] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Programy_\PokerStars2\gameutil2.exe[7432] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\gameutil2.exe[7432] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text C:\Programy_\PokerStars2\gameutil2.exe[7432] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\gameutil2.exe[7432] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [85, 71] .text C:\Programy_\PokerStars2\gameutil2.exe[7432] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7183000A .text C:\Programy_\PokerStars2\gameutil2.exe[7432] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7189000A .text C:\Programy_\PokerStars2\gameutil2.exe[7432] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717D000A .text C:\Programy_\PokerStars2\gameutil2.exe[7432] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7180000A .text C:\Programy_\PokerStars2\gameutil2.exe[7432] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717A000A .text C:\Programy_\PokerStars2\gameutil2.exe[7432] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text C:\Programy_\PokerStars2\gameutil2.exe[7432] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text C:\Programy_\PokerStars2\gameutil2.exe[7432] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text C:\Programy_\PokerStars2\gameutil2.exe[7432] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text C:\WINDOWS\system32\ctfmon.exe[8952] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[8952] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\ctfmon.exe[8952] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[8952] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\ctfmon.exe[8952] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[8952] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\ctfmon.exe[8952] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[8952] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\ctfmon.exe[8952] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\ctfmon.exe[8952] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[8952] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\ctfmon.exe[8952] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[8952] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\ctfmon.exe[8952] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\ctfmon.exe[8952] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\ctfmon.exe[8952] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\ctfmon.exe[8952] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\ctfmon.exe[8952] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\ctfmon.exe[8952] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\ctfmon.exe[8952] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\ctfmon.exe[8952] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\ctfmon.exe[8952] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 018CFF71 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 018CFCB1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 018CFE64 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 018CFCEB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 01C5F233 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 018D0115 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 01C5F283 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 00BFA7DC C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01C492B8 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01C488D7 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] kernel32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 019BC918 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 0270AB31 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01C48258 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Program Files\Mozilla Firefox\firefox.exe[14104] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9B, 71] .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [86, 71] .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7184000A .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718A000A .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Documents and Settings\All Users\Dane aplikacji\UWdMU\WdMan.exe[19652] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtAddAtom + 6 7C90CEE4 4 Bytes [68, D5, 88, 00] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtAddAtom + B 7C90CEE9 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtCreateEvent + 6 7C90D094 4 Bytes [68, D1, 88, 00] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtCreateEvent + B 7C90D099 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, D0, 88, 00] {SUB AL, DL; MOV [EAX], AL} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtCreateKey + 6 7C90D0F4 4 Bytes CALL 7B9159CA .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtCreateKey + B 7C90D0F9 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtCreateMutant + 6 7C90D114 4 Bytes [A8, D2, 88, 00] {TEST AL, 0xd2; MOV [EAX], AL} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtCreateMutant + B 7C90D119 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtCreateSection + 6 7C90D184 4 Bytes CALL 7B915A5B .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtCreateSection + B 7C90D189 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtDeleteAtom + 6 7C90D224 4 Bytes CALL 7B915AFE .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtDeleteAtom + B 7C90D229 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtDeleteValueKey + 6 7C90D274 4 Bytes [68, D3, 88, 00] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtDeleteValueKey + B 7C90D279 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtFindAtom + 6 7C90D324 4 Bytes [A8, D5, 88, 00] {TEST AL, 0xd5; MOV [EAX], AL} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtFindAtom + B 7C90D329 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [68, D6, 88, 00] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenEvent + 6 7C90D584 4 Bytes [A8, D1, 88, 00] {TEST AL, 0xd1; MOV [EAX], AL} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenEvent + B 7C90D589 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, D0, 88, 00] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenKey + 6 7C90D5D4 4 Bytes [28, D2, 88, 00] {SUB DL, DL; MOV [EAX], AL} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenKey + B 7C90D5D9 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenMutant + 6 7C90D5E4 4 Bytes [68, D2, 88, 00] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenMutant + B 7C90D5E9 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes CALL 7B915EDC .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes [28, D4, 88, 00] {SUB AH, DL; MOV [EAX], AL} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes CALL 7B915EFD .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenSection + 6 7C90D634 4 Bytes [28, D3, 88, 00] {SUB BL, DL; MOV [EAX], AL} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenSection + B 7C90D639 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [A8, D3, 88, 00] {TEST AL, 0xd3; MOV [EAX], AL} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [A8, D4, 88, 00] {TEST AL, 0xd4; MOV [EAX], AL} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes [28, D5, 88, 00] {SUB CH, DL; MOV [EAX], AL} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, D0, 88, 00] {TEST AL, 0xd0; MOV [EAX], AL} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B916089 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtQueryInformationAtom + 6 7C90D7C4 4 Bytes [28, D6, 88, 00] {SUB DH, DL; MOV [EAX], AL} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtQueryInformationAtom + B 7C90D7C9 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, D1, 88, 00] {SUB CL, DL; MOV [EAX], AL} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [68, D4, 88, 00] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [A8, D6, 88, 00] {TEST AL, 0xd6; MOV [EAX], AL} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009E0030 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009E0070 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] kernel32.dll!CreateThread 7C810707 5 Bytes JMP 009E00F0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [86, 71] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7184000A .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718A000A .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!RegisterClassExA 7E377C39 5 Bytes JMP 00B20430 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!ActivateKeyboardLayout 7E378673 5 Bytes JMP 00B203F0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!IsClipboardFormatAvailable 7E37F166 5 Bytes JMP 00B200F0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!GetClipboardSequenceNumber 7E37F17A 2 Bytes JMP 00B202B0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!GetClipboardSequenceNumber + 3 7E37F17D 2 Bytes [7A, 82] {JP 0xffffff84} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!CloseClipboard 7E380265 5 Bytes JMP 00B200B0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!OpenClipboard 7E380277 5 Bytes JMP 00B20070 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!EmptyClipboard 7E380D96 5 Bytes JMP 00B20130 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!GetClipboardOwner 7E380DA8 5 Bytes JMP 00B202F0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!GetClipboardData 7E380DBA 5 Bytes JMP 00B20030 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!SetClipboardData 7E380F9E 5 Bytes JMP 00B20170 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!GetClipboardFormatNameA 7E381290 5 Bytes JMP 00B20270 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!CountClipboardFormats 7E38167F 5 Bytes JMP 00B201F0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!GetOpenClipboardWindow 7E381691 5 Bytes JMP 00B20370 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!EnumClipboardFormats 7E38E53D 5 Bytes JMP 00B201B0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!GetClipboardFormatNameW 7E3A957F 5 Bytes JMP 00B20230 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!GetClipboardViewer 7E3BCB94 5 Bytes JMP 00B203B0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] USER32.dll!GetPriorityClipboardFormat 7E3BCC96 5 Bytes JMP 00B20330 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!GetDeviceCaps 77F15A69 5 Bytes JMP 00B30370 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!SelectObject 77F15B70 5 Bytes JMP 00B305B0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!SetTextColor 77F15D77 5 Bytes JMP 00B30970 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!SetBkMode 77F15EDB 5 Bytes JMP 00B30830 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!IntersectClipRect 77F16A56 5 Bytes JMP 00B303B0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!GetClipBox 77F16AA1 5 Bytes JMP 00B30330 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!DeleteObject 77F16BFA 5 Bytes JMP 00B301B0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 00B30170 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!ExtSelectClipRgn 77F17874 5 Bytes JMP 00B302F0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!SelectClipRgn 77F17AA0 5 Bytes JMP 00B30570 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!GetTextMetricsW 77F17DB9 5 Bytes JMP 00B30D30 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 00B308B0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!SetStretchBltMode 77F18597 5 Bytes JMP 00B305F0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!RestoreDC 77F18B28 5 Bytes JMP 00B304F0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!SaveDC 77F18BEE 5 Bytes JMP 00B30530 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!SetTextAlign 77F18C8B 5 Bytes JMP 00B30930 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!MoveToEx 77F1A21A 5 Bytes JMP 00B30430 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!GetTextFaceW 77F1A5CB 5 Bytes JMP 00B30C70 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!StretchDIBits 77F1B0AE 2 Bytes JMP 00B306B0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!StretchDIBits + 3 77F1B0B1 2 Bytes [C1, 88] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!SetWorldTransform 77F1B457 5 Bytes JMP 00B30630 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7191000A .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00B300B0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 00B300F0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!ExtEscape 77F1C3CC 5 Bytes JMP 00B302B0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 00B30870 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!LineTo 77F1D997 5 Bytes JMP 00B303F0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!GetTextMetricsA 77F1DF45 5 Bytes JMP 00B30CF0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!SetICMMode 77F1E868 5 Bytes JMP 00B30CB0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!Rectangle 77F1E9BE 5 Bytes JMP 00B308F0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!GetFontData 77F1F314 5 Bytes JMP 00B30BB0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!GetTextFaceA 77F1F365 5 Bytes JMP 00B30C30 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!SetPolyFillMode 77F20817 5 Bytes JMP 00B30A70 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!SetMiterLimit 77F20E8E 5 Bytes JMP 00B30AB0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 00B30270 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!ResetDCW 77F2B9BF 5 Bytes JMP 00B309F0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!CreateICW 77F2C823 5 Bytes JMP 00B30130 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!BeginPath 77F2D4C0 5 Bytes JMP 00B30770 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!EndPath 77F2D540 5 Bytes JMP 00B309B0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!SelectClipPath 77F2D5C7 5 Bytes JMP 00B30A30 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!EndPage 77F2DC71 5 Bytes JMP 00B30230 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!EndDoc 77F2DF01 5 Bytes JMP 00B301F0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!PolyBezierTo 77F2EBE1 5 Bytes JMP 00B30470 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!PolylineTo 77F2EC8E 5 Bytes JMP 00B304B0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!CloseFigure 77F2ED2A 5 Bytes JMP 00B30070 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!StartPage 77F2F4AE 5 Bytes JMP 00B30670 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!RemoveFontResourceW 77F3D262 5 Bytes JMP 00B30B70 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!GetGlyphOutlineW 77F3E8B1 5 Bytes JMP 00B30BF0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!AddFontResourceW 77F4014D 5 Bytes JMP 00B30B30 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!CreateScalableFontResourceW 77F40302 5 Bytes JMP 00B30AF0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!AbortDoc 77F45021 5 Bytes JMP 00B30030 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!StartDocW 77F45CB1 5 Bytes JMP 00B30730 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!StrokePath 77F46407 5 Bytes JMP 00B306F0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!FillPath 77F46494 5 Bytes JMP 00B307B0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] GDI32.dll!PolyDraw 77F469CB 5 Bytes JMP 00B307F0 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[23004] ole32.dll!OleSetClipboard 77537858 5 Bytes JMP 00F10030 .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9B, 71] .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [86, 71] .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7184000A .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718A000A .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Documents and Settings\Administrator\Dane aplikacji\TSv\TSvr.exe[25096] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 0352A7DC C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] USER32.dll!DefWindowProcA + 11A 7E37C298 7 Bytes JMP 01F4BEC0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] USER32.dll!SetWindowLongA + 19 7E37C2B6 7 Bytes JMP 01F4BF95 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 01F4E0C5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[28488] USER32.dll!GetMenuContextHelpId + 1A 7E3B5319 7 Bytes JMP 01F4C82F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9B, 71] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [86, 71] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7184000A .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718A000A .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[28796] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9B, 71] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [86, 71] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7184000A .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718A000A .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 7F, 01] .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 7F, 01] {MOV AL, 0xae; JG 0x5} .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\Programy_\PokerStars2\br\PokerStarsBr.exe[29124] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[29684] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Program Files\SFK\SSFK.exe[30052] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\SFK\SSFK.exe[30052] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\SFK\SSFK.exe[30052] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\SFK\SSFK.exe[30052] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\SFK\SSFK.exe[30052] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\SFK\SSFK.exe[30052] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\SFK\SSFK.exe[30052] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\SFK\SSFK.exe[30052] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\SFK\SSFK.exe[30052] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\SFK\SSFK.exe[30052] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\SFK\SSFK.exe[30052] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\SFK\SSFK.exe[30052] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\SFK\SSFK.exe[30052] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Program Files\SFK\SSFK.exe[30052] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Program Files\SFK\SSFK.exe[30052] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Program Files\SFK\SSFK.exe[30052] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\SFK\SSFK.exe[30052] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\SFK\SSFK.exe[30052] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\SFK\SSFK.exe[30052] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\SFK\SSFK.exe[30052] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\SFK\SSFK.exe[30052] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\SFK\SSFK.exe[30052] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\SFK\SSFK.exe[30052] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Program Files\SFK\SSFK.exe[30052] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Program Files\SFK\SSFK.exe[30432] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\SFK\SSFK.exe[30432] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\SFK\SSFK.exe[30432] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\SFK\SSFK.exe[30432] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\SFK\SSFK.exe[30432] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\SFK\SSFK.exe[30432] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\SFK\SSFK.exe[30432] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\SFK\SSFK.exe[30432] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\SFK\SSFK.exe[30432] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\SFK\SSFK.exe[30432] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\SFK\SSFK.exe[30432] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\SFK\SSFK.exe[30432] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\SFK\SSFK.exe[30432] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Program Files\SFK\SSFK.exe[30432] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Program Files\SFK\SSFK.exe[30432] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Program Files\SFK\SSFK.exe[30432] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\SFK\SSFK.exe[30432] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\SFK\SSFK.exe[30432] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\SFK\SSFK.exe[30432] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\SFK\SSFK.exe[30432] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\SFK\SSFK.exe[30432] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\SFK\SSFK.exe[30432] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\SFK\SSFK.exe[30432] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Program Files\SFK\SSFK.exe[30432] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text E:\FF Download\hxi9sqt0.exe[31232] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text E:\FF Download\hxi9sqt0.exe[31232] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text E:\FF Download\hxi9sqt0.exe[31232] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text E:\FF Download\hxi9sqt0.exe[31232] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text E:\FF Download\hxi9sqt0.exe[31232] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text E:\FF Download\hxi9sqt0.exe[31232] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text E:\FF Download\hxi9sqt0.exe[31232] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text E:\FF Download\hxi9sqt0.exe[31232] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text E:\FF Download\hxi9sqt0.exe[31232] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text E:\FF Download\hxi9sqt0.exe[31232] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text E:\FF Download\hxi9sqt0.exe[31232] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text E:\FF Download\hxi9sqt0.exe[31232] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text E:\FF Download\hxi9sqt0.exe[31232] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text E:\FF Download\hxi9sqt0.exe[31232] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text E:\FF Download\hxi9sqt0.exe[31232] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text E:\FF Download\hxi9sqt0.exe[31232] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text E:\FF Download\hxi9sqt0.exe[31232] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text E:\FF Download\hxi9sqt0.exe[31232] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text E:\FF Download\hxi9sqt0.exe[31232] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text E:\FF Download\hxi9sqt0.exe[31232] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text E:\FF Download\hxi9sqt0.exe[31232] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text E:\FF Download\hxi9sqt0.exe[31232] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text E:\FF Download\hxi9sqt0.exe[31232] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text E:\FF Download\hxi9sqt0.exe[31232] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text E:\FF Download\FRST.exe[32688] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text E:\FF Download\FRST.exe[32688] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text E:\FF Download\FRST.exe[32688] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text E:\FF Download\FRST.exe[32688] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text E:\FF Download\FRST.exe[32688] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text E:\FF Download\FRST.exe[32688] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text E:\FF Download\FRST.exe[32688] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text E:\FF Download\FRST.exe[32688] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A1, 71] .text E:\FF Download\FRST.exe[32688] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text E:\FF Download\FRST.exe[32688] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text E:\FF Download\FRST.exe[32688] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [98, 71] .text E:\FF Download\FRST.exe[32688] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text E:\FF Download\FRST.exe[32688] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [83, 71] .text E:\FF Download\FRST.exe[32688] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7181000A .text E:\FF Download\FRST.exe[32688] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7187000A .text E:\FF Download\FRST.exe[32688] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text E:\FF Download\FRST.exe[32688] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text E:\FF Download\FRST.exe[32688] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text E:\FF Download\FRST.exe[32688] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text E:\FF Download\FRST.exe[32688] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text E:\FF Download\FRST.exe[32688] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text E:\FF Download\FRST.exe[32688] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text E:\FF Download\FRST.exe[32688] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text E:\FF Download\FRST.exe[32688] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\svchost.exe[964] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [66044728] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll IAT C:\WINDOWS\explorer.exe[2384] @ C:\WINDOWS\explorer.exe [KERNEL32.dll!LoadLibraryExA] [66044722] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll IAT C:\WINDOWS\explorer.exe[2384] @ C:\WINDOWS\explorer.exe [KERNEL32.dll!LoadLibraryA] [66044728] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll IAT C:\WINDOWS\explorer.exe[2384] @ C:\WINDOWS\explorer.exe [KERNEL32.dll!LoadLibraryW] [6604477F] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll IAT C:\WINDOWS\explorer.exe[2384] @ C:\WINDOWS\explorer.exe [USER32.dll!SetWindowPlacement] [66603F0E] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll IAT C:\WINDOWS\explorer.exe[2384] @ C:\WINDOWS\explorer.exe [USER32.dll!MoveWindow] [66603F52] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll IAT C:\WINDOWS\explorer.exe[2384] @ C:\WINDOWS\explorer.exe [USER32.dll!GetWindowPlacement] [66603F30] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll IAT C:\WINDOWS\explorer.exe[2384] @ C:\WINDOWS\explorer.exe [USER32.dll!LoadImageW] [660436C6] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll IAT C:\WINDOWS\explorer.exe[2384] @ C:\WINDOWS\explorer.exe [USER32.dll!SendMessageW] [66044891] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll IAT C:\WINDOWS\explorer.exe[2384] @ C:\WINDOWS\explorer.exe [USER32.dll!TrackPopupMenuEx] [66044845] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll IAT C:\WINDOWS\explorer.exe[2384] @ C:\WINDOWS\explorer.exe [USER32.dll!TrackPopupMenu] [660447FC] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll IAT C:\WINDOWS\explorer.exe[2384] @ C:\WINDOWS\explorer.exe [USER32.dll!DeferWindowPos] [66603E28] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll IAT C:\WINDOWS\explorer.exe[2384] @ C:\WINDOWS\explorer.exe [USER32.dll!GetWindowRect] [66603FB5] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll IAT C:\WINDOWS\explorer.exe[2384] @ C:\WINDOWS\explorer.exe [USER32.dll!SetWindowPos] [66603F82] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- Processes - GMER 2.1 ---- Library C:\Program Files\WinZipper\eshellctx.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [2384] 0x10120000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{026E2336-A6CB-4E14-BFCD-3EF0B35E58F0}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{026E2336-A6CB-4E14-BFCD-3EF0B35E58F0}\0001@D3D_\x3332\x3331 2089309684 ---- Files - GMER 2.1 ---- File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\6469A0DA0CFBE525B265EA1177D8E9B8CEDF7850 0 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\67F6FAF0D0C213FA131ECF556FFA3E8F291EF019 90 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\030B5CB64A735DC74DCD6CD385B1C952756571FE 559 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\32C1264DCD32BF8F747A957812CCA4D862BDEC08 561 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\1FAAD58D89288C494AFE26AC38D813416CEA329B 89 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\C60544E6B6F3C640F97526B6E20D223F2DA9D158 140 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\22E1D1D933F12BE3AA4D2C36DF356646714D73E4 79 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\45EFE0F7B702BEC551F3E00E0D058A14E6329B34 81 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\3D1B0CEBEE3813FFF8B9BC5DA8614BA0F1E76DAE 140 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\7F84B0D32103E91DECBD6003BD4B237021156D70 84 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\26C0BAAB3B516A73FC08B60FC08449C916986EA6 58 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\9CECF01BDE11C34AC5B78A189B4BAF71BB6DF2EF 141 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\99A3EF7323D43CD6EF8D79D47155EF7C066D3A9B 94 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\DB2B94976BDB7EB42A2E1BBE8BF729A4B40C0238 586 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\31F394D0172D1A00A1EF183F6C9173847516DF23 141 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\D2CC0FC172D51F5F5B987815838373D94FCEF9CD 84 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\F44444466B7383C21FE5086C608DBA3E4FAF0915 151 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\DE4E69BEB279562432132BDE65E88802DFF6C6B7 541 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\05DDF8B4170E9B2D2D7CA992EE6430955EEBF6BA 485 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\DBEE40283D093799EF7975878F05FE3E0DF2C506 165 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\027C0744808FA5BBF9C63A6C1BEC0A4C420EA686 117 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\6C2E230720FE5915F93E64274D85F33C54A91C17 83 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\B085639B81539A154B7FC80D2353725C3C5F06FF 80 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\2CE654D234F8FF72590A0DFFD5D124A3D6EEE1DA 1003 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\5A97FE793060D7A8C9B2710E3CD6CE4BA4D4A9F1 231 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\tmaw22zk.default-1396274136437\cache2\entries\123611937C38BF44F925922019DBF2B0F6A556FF 82 bytes ---- EOF - GMER 2.1 ----