GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-18 23:01:57 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 ST3250410AS rev.3.AAE 232,88GB Running: wvrv828i.exe; Driver: C:\Users\Adam\AppData\Local\Temp\aftcqaow.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x89725580] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x8972598C] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcCreatePort [0x8972593A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwConnectPort [0x897247C6] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateEvent [0x8972389C] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateEventPair [0x897238F4] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateFile [0x897251AE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateMutant [0x89723846] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreatePort [0x897237EE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSection [0x89724ECA] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSemaphore [0x89723946] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x8972681E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThread [0x89724170] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThreadEx [0x89725BD6] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwLoadDriver [0x89726224] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x89724A9E] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x8EA016F0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x8EA01820] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenFile [0x897253A6] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x8EA01010] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenSection [0x89724D52] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0x8EA014E0] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetInformationProcess [0x89725774] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0x89726524] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x89724A14] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x8EA01300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x8EA013F0] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0x89724C3E] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x8EA01120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x8EA01210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x8EA015F0] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRenameKey + 1549 82E74F05 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EAF292 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 82EB669C 4 Bytes [80, 55, 72, 89] {ADC BYTE [EBP+0x72], 0x89} .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82EB66C4 8 Bytes [8C, 59, 72, 89, 3A, 59, 72, ...] {MOV [ECX+0x72], DS; MOV [EDX], EDI; POP ECX; JB 0xffffff91} .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 82EB6758 4 Bytes [C6, 47, 72, 89] {MOV BYTE [EDI+0x72], 0x89} .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82EB676C 12 Bytes [9C, 38, 72, 89, F4, 38, 72, ...] {PUSHF ; CMP [EDX-0x77], DH; HLT ; CMP [EDX-0x77], DH; SCASB ; PUSH ECX; JB 0xffffff95} .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82EB6794 4 Bytes [46, 38, 72, 89] {INC ESI; CMP [EDX-0x77], DH} .text ... ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!NtCreateEvent 77C65110 5 Bytes JMP 68F22650 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!NtCreateMutant 77C651B0 5 Bytes JMP 68F228E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!NtCreateSemaphore 77C65260 5 Bytes JMP 68F22B70 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!NtCreateUserProcess 77C652E0 5 Bytes JMP 68F22E00 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!NtMapViewOfSection 77C65790 5 Bytes JMP 68F22360 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!NtOpenEvent 77C65820 5 Bytes JMP 68F227A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!NtOpenMutant 77C658C0 5 Bytes JMP 68F22A30 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!NtOpenSemaphore 77C65940 5 Bytes JMP 68F22CC0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!NtQueryInformationProcess 77C65BB0 5 Bytes JMP 68F230E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!NtResumeThread 77C66010 5 Bytes JMP 68F22520 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!NtWriteVirtualMemory 77C66600 5 Bytes JMP 68F221F0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!RtlQueryEnvironmentVariable 77C7859F 5 Bytes JMP 68F22F80 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\ctfmon.exe[308] ntdll.dll!RtlDecompressBuffer 77CD56BD 5 Bytes JMP 68F22E90 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\ctfmon.exe[308] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\system32\ctfmon.exe[308] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\system32\ctfmon.exe[308] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\ctfmon.exe[308] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\ctfmon.exe[308] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\system32\ctfmon.exe[308] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\system32\ctfmon.exe[308] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\system32\ctfmon.exe[308] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\system32\ctfmon.exe[308] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\system32\ctfmon.exe[308] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\ctfmon.exe[308] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\ctfmon.exe[308] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\system32\ctfmon.exe[308] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\system32\ctfmon.exe[308] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\system32\ctfmon.exe[308] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[484] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[484] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\System32\svchost.exe[484] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[484] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[484] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[484] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\System32\svchost.exe[484] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[484] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\System32\svchost.exe[484] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[484] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[484] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[484] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[484] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[484] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\csrss.exe[488] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 5 Bytes JMP 75B62200 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[488] ntdll.dll!NtReplyWaitReceivePort 77C65F80 5 Bytes JMP 75B618F0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[488] ntdll.dll!NtReplyWaitReceivePortEx 77C65F90 5 Bytes JMP 75B61D70 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[556] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 5 Bytes JMP 75B62200 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[556] ntdll.dll!NtReplyWaitReceivePort 77C65F80 5 Bytes JMP 75B618F0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[556] ntdll.dll!NtReplyWaitReceivePortEx 77C65F90 5 Bytes JMP 75B61D70 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\services.exe[664] services.exe 00FF1608 4 Bytes [30, D9, 95, 75] .text C:\Windows\system32\services.exe[664] services.exe 00FF1618 4 Bytes [10, DD, 95, 75] .text C:\Windows\system32\services.exe[664] services.exe 00FF1638 4 Bytes [90, D6, 95, 75] .text C:\Windows\system32\services.exe[664] services.exe 00FF1648 4 Bytes [30, DB, 95, 75] .text C:\Windows\system32\services.exe[664] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[664] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\services.exe[664] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[664] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\services.exe[664] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\services.exe[664] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 717E000A .text C:\Windows\system32\services.exe[664] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 7187000A .text C:\Windows\system32\services.exe[664] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[664] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\services.exe[664] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718A000A .text C:\Windows\system32\services.exe[664] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7184000A .text C:\Windows\system32\services.exe[664] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7181000A .text C:\Windows\system32\services.exe[664] RPCRT4.dll!RpcServerRegisterIfEx 764D0818 6 Bytes JMP 7199000A .text C:\Windows\system32\services.exe[664] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 7178000A .text C:\Windows\system32\services.exe[664] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7175000A .text C:\Windows\system32\services.exe[664] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717B000A .text C:\Windows\system32\services.exe[664] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 718D000A .text C:\Windows\system32\services.exe[664] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7196000A .text C:\Windows\system32\services.exe[664] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7193000A .text C:\Windows\system32\services.exe[664] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7190000A .text C:\Windows\system32\services.exe[664] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\lsass.exe[672] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[672] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\lsass.exe[672] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[672] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\lsass.exe[672] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsass.exe[672] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\system32\lsass.exe[672] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\system32\lsass.exe[672] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[672] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\lsass.exe[672] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\system32\lsass.exe[672] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\system32\lsass.exe[672] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\system32\lsass.exe[672] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\system32\lsass.exe[672] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\system32\lsass.exe[672] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\lsass.exe[672] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\lsass.exe[672] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\system32\lsass.exe[672] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\system32\lsass.exe[672] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\system32\lsass.exe[672] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\lsm.exe[680] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[680] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\lsm.exe[680] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[680] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\lsm.exe[680] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsm.exe[680] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\system32\lsm.exe[680] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\system32\lsm.exe[680] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[680] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\lsm.exe[680] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\system32\lsm.exe[680] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\system32\lsm.exe[680] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\system32\lsm.exe[680] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\system32\lsm.exe[680] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\system32\lsm.exe[680] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\lsm.exe[680] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\lsm.exe[680] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\system32\lsm.exe[680] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\system32\lsm.exe[680] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\system32\lsm.exe[680] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 716F000A .text C:\Program Files\AVG\Framework\Common\avgsvcx.exe[700] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7172000A .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtAlpcConnectPort 77C64E70 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtAlpcConnectPort + 4 77C64E74 2 Bytes [60, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtAlpcCreatePort 77C64E80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtAlpcCreatePort + 4 77C64E84 2 Bytes [63, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [5D, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtClose + 4 77C65034 2 Bytes [12, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtConnectPort 77C650C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtConnectPort + 4 77C650C4 2 Bytes [30, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtCreateEvent 77C65110 5 Bytes JMP 68F22650 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtCreateEventPair 77C65120 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtCreateEventPair + 4 77C65124 2 Bytes [44, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtCreateFile 77C65130 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtCreateFile + 4 77C65134 2 Bytes [21, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtCreateMutant 77C651B0 5 Bytes JMP 68F228E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtCreateNamedPipeFile 77C651C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtCreateNamedPipeFile + 4 77C651C4 2 Bytes [24, 71] {AND AL, 0x71} .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtCreatePort 77C651E0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtCreatePort + 4 77C651E4 2 Bytes [36, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtCreateSection 77C65250 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtCreateSection + 4 77C65254 2 Bytes [2A, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtCreateSemaphore 77C65260 5 Bytes JMP 68F22B70 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtCreateUserProcess 77C652E0 5 Bytes JMP 68F22E00 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtCreateWaitablePort 77C652F0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtCreateWaitablePort + 4 77C652F4 2 Bytes [2D, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtFsControlFile 77C65570 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtFsControlFile + 4 77C65574 2 Bytes [18, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtMapViewOfSection 77C65790 5 Bytes JMP 68F22360 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtOpenEvent 77C65820 5 Bytes JMP 68F227A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtOpenEventPair 77C65830 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtOpenEventPair + 4 77C65834 2 Bytes [41, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtOpenFile 77C65840 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtOpenFile + 4 77C65844 2 Bytes [1E, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtOpenMutant 77C658C0 5 Bytes JMP 68F22A30 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtOpenSection 77C65930 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtOpenSection + 4 77C65934 2 Bytes [27, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtOpenSemaphore 77C65940 5 Bytes JMP 68F22CC0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtQueryInformationProcess 77C65BB0 5 Bytes JMP 68F230E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtQueryVirtualMemory 77C65DC0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtQueryVirtualMemory + 4 77C65DC4 2 Bytes [1B, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtReplyPort 77C65F70 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtReplyPort + 4 77C65F74 2 Bytes [57, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtRequestWaitReplyPort 77C65FC0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtRequestWaitReplyPort + 4 77C65FC4 2 Bytes [5A, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtResumeThread 77C66010 5 Bytes JMP 68F22520 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtSecureConnectPort 77C66090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtSecureConnectPort + 4 77C66094 2 Bytes [33, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtSetSystemTime 77C66310 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtSetSystemTime + 4 77C66314 2 Bytes [15, 71] .text C:\Windows\system32\svchost.exe[752] ntdll.dll!NtWriteVirtualMemory 77C66600 5 Bytes JMP 68F221F0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[752] ntdll.dll!RtlQueryEnvironmentVariable 77C7859F 5 Bytes JMP 68F22F80 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[752] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 7110000A .text C:\Windows\system32\svchost.exe[752] ntdll.dll!RtlDecompressBuffer 77CD56BD 5 Bytes JMP 68F22E90 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[752] kernel32.dll!GetPrivateProfileStringW 767C818B 6 Bytes JMP 71AB000A .text C:\Windows\system32\svchost.exe[752] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 708B000A .text C:\Windows\system32\svchost.exe[752] kernel32.dll!GetPrivateProfileStringA 767CE099 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[752] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 7094000A .text C:\Windows\system32\svchost.exe[752] kernel32.dll!RegOpenKeyExW 767DD121 6 Bytes JMP 7188000A .text C:\Windows\system32\svchost.exe[752] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [AB, 70] .text C:\Windows\system32\svchost.exe[752] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 7097000A .text C:\Windows\system32\svchost.exe[752] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7091000A .text C:\Windows\system32\svchost.exe[752] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 708E000A .text C:\Windows\system32\svchost.exe[752] RPCRT4.dll!RpcServerRegisterIfEx 764D0818 6 Bytes JMP 70A6000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!RegisterClassExA 7687629B 6 Bytes JMP 70FE000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!FindWindowExA 76876F71 6 Bytes JMP 70C8000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!GetClassInfoExA 76876FE1 6 Bytes JMP 70F2000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!GetClassInfoA 7687714C 6 Bytes JMP 70EC000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!UnregisterClassA 76878D38 6 Bytes JMP 70F8000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!FindWindowA 76878FC1 6 Bytes JMP 70C2000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!SetLayeredWindowAttributes 7687A6AC 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] USER32.dll!SetLayeredWindowAttributes + 4 7687A6B0 2 Bytes [87, 70] .text C:\Windows\system32\svchost.exe[752] USER32.dll!FindWindowW 7687ADDD 6 Bytes JMP 70C5000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!EnumDesktopWindows 7687B497 6 Bytes JMP 70B6000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!EnumThreadWindows 7687B6E2 6 Bytes JMP 70BC000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!UnregisterClassW 7687B97E 6 Bytes JMP 70FB000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!RegisterClassA 7687BC3A 6 Bytes JMP 7104000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!CreateWindowExA 7687BF10 6 Bytes JMP 70E0000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 7070000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!CreateWindowExW 7687EC4C 6 Bytes JMP 70E3000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!RegisterClassW 7687ED1A 6 Bytes JMP 7107000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!RegisterClassExW 76880132 6 Bytes JMP 7101000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!GetClassInfoExW 7688092E 6 Bytes JMP 70F5000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!GetClassInfoW 76880A97 6 Bytes JMP 70EF000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 706D000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!EnumChildWindows 76882920 6 Bytes JMP 70B9000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!GetClassNameW 76882A01 6 Bytes JMP 70E9000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!GetShellWindow 76882FA3 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[752] USER32.dll!GetShellWindow + 4 76882FA7 2 Bytes [9F, 71] .text C:\Windows\system32\svchost.exe[752] USER32.dll!EnumWindows 76883733 6 Bytes JMP 70BF000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!CreateDialogParamA 76891F12 6 Bytes JMP 70D7000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!DialogBoxParamW 76893B6B 6 Bytes JMP 70D4000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!CreateDialogIndirectParamA 768971ED 6 Bytes JMP 7080000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!CreateDialogIndirectParamW 7689E9E0 6 Bytes JMP 7083000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!GetClassNameA 768A2415 6 Bytes JMP 70E6000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!DialogBoxIndirectParamAorW 768A3B10 6 Bytes JMP 70CE000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!DialogBoxIndirectParamW 768A3B4F 6 Bytes JMP 707B000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!CreateDialogIndirectParamAorW 768A52F7 6 Bytes JMP 70DD000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!CreateDialogParamW 768A5600 6 Bytes JMP 70DA000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 7073000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!FindWindowExW 768A70FB 6 Bytes JMP 70CB000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!DialogBoxParamA 768BCFB8 6 Bytes JMP 70D1000A .text C:\Windows\system32\svchost.exe[752] USER32.dll!DialogBoxIndirectParamA 768BD2EA 6 Bytes JMP 7078000A .text C:\Windows\system32\svchost.exe[752] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 709A000A .text C:\Windows\system32\svchost.exe[752] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 70A3000A .text C:\Windows\system32\svchost.exe[752] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 70A0000A .text C:\Windows\system32\svchost.exe[752] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 709D000A .text C:\Windows\system32\svchost.exe[752] ADVAPI32.dll!StartServiceCtrlDispatcherW 765CA8E5 6 Bytes JMP 719D000A .text C:\Windows\system32\svchost.exe[752] ADVAPI32.dll!RegisterServiceCtrlHandlerW 765CA8FD 6 Bytes JMP 718E000A .text C:\Windows\system32\svchost.exe[752] ADVAPI32.dll!RegisterServiceCtrlHandlerExW 765CA92D 6 Bytes JMP 7197000A .text C:\Windows\system32\svchost.exe[752] ADVAPI32.dll!SetServiceStatus 765CC726 6 Bytes JMP 718B000A .text C:\Windows\system32\svchost.exe[752] ADVAPI32.dll!RegisterServiceCtrlHandlerA 7660377F 6 Bytes JMP 7191000A .text C:\Windows\system32\svchost.exe[752] ADVAPI32.dll!RegisterServiceCtrlHandlerExA 7660378F 6 Bytes JMP 7194000A .text C:\Windows\system32\svchost.exe[752] ADVAPI32.dll!StartServiceCtrlDispatcherA 7660380F 6 Bytes JMP 719A000A .text C:\Windows\system32\svchost.exe[752] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 70A9000A .text C:\Windows\system32\svchost.exe[752] rpcss.dll!CoGetComCatalog 74F935EC 8 Bytes [70, CE, 95, 75, 30, CC, 95, ...] .text C:\Windows\system32\svchost.exe[792] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[792] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\svchost.exe[792] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[792] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[792] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[792] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[792] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[792] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[792] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[792] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[792] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[792] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[792] RPCRT4.dll!RpcServerRegisterIfEx 764D0818 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[792] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[792] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7175000A .text C:\Windows\system32\svchost.exe[792] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[792] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[792] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[792] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[792] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[792] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\nvvsvc.exe[856] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[856] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\nvvsvc.exe[856] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[856] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\nvvsvc.exe[856] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\nvvsvc.exe[856] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\system32\nvvsvc.exe[856] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\system32\nvvsvc.exe[856] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[856] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\nvvsvc.exe[856] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\system32\nvvsvc.exe[856] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\system32\nvvsvc.exe[856] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\system32\nvvsvc.exe[856] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\nvvsvc.exe[856] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\system32\nvvsvc.exe[856] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\system32\nvvsvc.exe[856] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\system32\nvvsvc.exe[856] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\system32\nvvsvc.exe[856] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\system32\nvvsvc.exe[856] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\nvvsvc.exe[856] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\nvvsvc.exe[856] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 716F000A .text C:\Windows\system32\nvvsvc.exe[856] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7172000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[880] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[924] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[924] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\svchost.exe[924] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[924] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[924] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[924] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[924] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[924] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[924] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[924] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[924] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[924] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[924] RPCRT4.dll!RpcServerRegisterIfEx 764D0818 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[924] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[924] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7175000A .text C:\Windows\system32\svchost.exe[924] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[924] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[924] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[924] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[924] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[924] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[924] rpcss.dll!CoGetComCatalog 74F935EC 8 Bytes [70, CE, 95, 75, 30, CC, 95, ...] .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!NtCreateEvent 77C65110 5 Bytes JMP 68F22650 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!NtCreateMutant 77C651B0 5 Bytes JMP 68F228E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!NtCreateSemaphore 77C65260 5 Bytes JMP 68F22B70 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!NtCreateUserProcess 77C652E0 5 Bytes JMP 68F22E00 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!NtMapViewOfSection 77C65790 5 Bytes JMP 68F22360 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!NtOpenEvent 77C65820 5 Bytes JMP 68F227A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!NtOpenMutant 77C658C0 5 Bytes JMP 68F22A30 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!NtOpenSemaphore 77C65940 5 Bytes JMP 68F22CC0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!NtQueryInformationProcess 77C65BB0 5 Bytes JMP 68F230E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!NtResumeThread 77C66010 5 Bytes JMP 68F22520 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!NtWriteVirtualMemory 77C66600 5 Bytes JMP 68F221F0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!RtlQueryEnvironmentVariable 77C7859F 5 Bytes JMP 68F22F80 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchIndexer.exe[1004] ntdll.dll!RtlDecompressBuffer 77CD56BD 5 Bytes JMP 68F22E90 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\SearchIndexer.exe[1004] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\system32\SearchIndexer.exe[1004] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\system32\SearchIndexer.exe[1004] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[1004] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\SearchIndexer.exe[1004] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\system32\SearchIndexer.exe[1004] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\system32\SearchIndexer.exe[1004] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\system32\SearchIndexer.exe[1004] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\system32\SearchIndexer.exe[1004] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\system32\SearchIndexer.exe[1004] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchIndexer.exe[1004] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\SearchIndexer.exe[1004] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\system32\SearchIndexer.exe[1004] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchIndexer.exe[1004] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchIndexer.exe[1004] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchIndexer.exe[1004] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 716F000A .text C:\Windows\system32\SearchIndexer.exe[1004] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7172000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1016] ntdll.dll!NtAllocateVirtualMemory 77C64E40 5 Bytes JMP 0130E930 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1016] ntdll.dll!NtCreateFile 77C65130 5 Bytes JMP 013BA7A0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1016] ntdll.dll!NtOpenFile 77C65840 5 Bytes JMP 013BA6B0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[1044] ntdll.dll!NtCreateEvent 77C65110 5 Bytes JMP 68F22650 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[1044] ntdll.dll!NtCreateMutant 77C651B0 5 Bytes JMP 68F228E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[1044] ntdll.dll!NtCreateSemaphore 77C65260 5 Bytes JMP 68F22B70 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[1044] ntdll.dll!NtCreateUserProcess 77C652E0 5 Bytes JMP 68F22E00 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[1044] ntdll.dll!NtMapViewOfSection 77C65790 5 Bytes JMP 68F22360 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[1044] ntdll.dll!NtOpenEvent 77C65820 5 Bytes JMP 68F227A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[1044] ntdll.dll!NtOpenMutant 77C658C0 5 Bytes JMP 68F22A30 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[1044] ntdll.dll!NtOpenSemaphore 77C65940 5 Bytes JMP 68F22CC0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[1044] ntdll.dll!NtQueryInformationProcess 77C65BB0 5 Bytes JMP 68F230E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[1044] ntdll.dll!NtResumeThread 77C66010 5 Bytes JMP 68F22520 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[1044] ntdll.dll!NtWriteVirtualMemory 77C66600 5 Bytes JMP 68F221F0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[1044] ntdll.dll!RtlQueryEnvironmentVariable 77C7859F 5 Bytes JMP 68F22F80 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[1044] ntdll.dll!RtlDecompressBuffer 77CD56BD 5 Bytes JMP 68F22E90 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[1048] ntdll.dll!NtCreateEvent 77C65110 5 Bytes JMP 68F22650 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[1048] ntdll.dll!NtCreateMutant 77C651B0 5 Bytes JMP 68F228E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[1048] ntdll.dll!NtCreateSemaphore 77C65260 5 Bytes JMP 68F22B70 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[1048] ntdll.dll!NtCreateUserProcess 77C652E0 5 Bytes JMP 68F22E00 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[1048] ntdll.dll!NtMapViewOfSection 77C65790 5 Bytes JMP 68F22360 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[1048] ntdll.dll!NtOpenEvent 77C65820 5 Bytes JMP 68F227A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[1048] ntdll.dll!NtOpenMutant 77C658C0 5 Bytes JMP 68F22A30 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[1048] ntdll.dll!NtOpenSemaphore 77C65940 5 Bytes JMP 68F22CC0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[1048] ntdll.dll!NtQueryInformationProcess 77C65BB0 5 Bytes JMP 68F230E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[1048] ntdll.dll!NtResumeThread 77C66010 5 Bytes JMP 68F22520 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[1048] ntdll.dll!NtWriteVirtualMemory 77C66600 5 Bytes JMP 68F221F0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[1048] ntdll.dll!RtlQueryEnvironmentVariable 77C7859F 5 Bytes JMP 68F22F80 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe[1048] ntdll.dll!RtlDecompressBuffer 77CD56BD 5 Bytes JMP 68F22E90 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1068] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1068] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[1068] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1068] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1068] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1068] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1068] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1068] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1112] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1112] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\System32\svchost.exe[1112] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1112] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1112] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1112] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1112] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1112] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1112] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1112] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1112] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 716F000A .text C:\Windows\System32\svchost.exe[1112] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7172000A .text C:\Windows\System32\svchost.exe[1152] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1152] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\System32\svchost.exe[1152] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1152] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1152] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1152] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1152] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1152] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1152] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\System32\svchost.exe[1152] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1152] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1152] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1152] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\System32\svchost.exe[1152] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\System32\svchost.exe[1152] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1152] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1152] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1152] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1152] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1152] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1152] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 716F000A .text C:\Windows\System32\svchost.exe[1152] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7172000A .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1180] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1180] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1180] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1180] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1180] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1180] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1180] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1180] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1180] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1180] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1180] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1180] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1204] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1204] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\svchost.exe[1204] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1204] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1204] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1204] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1204] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1204] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1204] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1204] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1204] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1204] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1204] RPCRT4.dll!RpcServerRegisterIfEx 764D0818 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7175000A .text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1204] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1204] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1204] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1204] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1204] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1204] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 716C000A .text C:\Windows\system32\svchost.exe[1204] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 716F000A .text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1328] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1328] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1328] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[1328] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1328] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1328] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1328] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1328] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1328] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1360] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1360] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\svchost.exe[1360] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1360] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1360] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1360] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1360] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1360] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1360] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1360] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1360] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1360] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1360] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1360] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[1360] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1360] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1360] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1360] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1360] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1360] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1360] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 716F000A .text C:\Windows\system32\svchost.exe[1360] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7172000A .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!NtCreateEvent 77C65110 5 Bytes JMP 68F22650 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!NtCreateMutant 77C651B0 5 Bytes JMP 68F228E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!NtCreateSemaphore 77C65260 5 Bytes JMP 68F22B70 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!NtCreateUserProcess 77C652E0 5 Bytes JMP 68F22E00 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!NtMapViewOfSection 77C65790 5 Bytes JMP 68F22360 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!NtOpenEvent 77C65820 5 Bytes JMP 68F227A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!NtOpenMutant 77C658C0 5 Bytes JMP 68F22A30 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!NtOpenSemaphore 77C65940 5 Bytes JMP 68F22CC0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!NtQueryInformationProcess 77C65BB0 5 Bytes JMP 68F230E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!NtResumeThread 77C66010 5 Bytes JMP 68F22520 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!NtWriteVirtualMemory 77C66600 5 Bytes JMP 68F221F0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!RtlQueryEnvironmentVariable 77C7859F 5 Bytes JMP 68F22F80 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1476] ntdll.dll!RtlDecompressBuffer 77CD56BD 5 Bytes JMP 68F22E90 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[1476] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1476] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1476] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1476] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\System32\svchost.exe[1476] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1476] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1476] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1476] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\System32\svchost.exe[1476] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\System32\svchost.exe[1476] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1476] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1476] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1476] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1476] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1476] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\System32\spoolsv.exe[1520] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1520] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\System32\spoolsv.exe[1520] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1520] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\System32\spoolsv.exe[1520] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\System32\spoolsv.exe[1520] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\System32\spoolsv.exe[1520] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\System32\spoolsv.exe[1520] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1520] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\System32\spoolsv.exe[1520] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\System32\spoolsv.exe[1520] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\System32\spoolsv.exe[1520] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\System32\spoolsv.exe[1520] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\System32\spoolsv.exe[1520] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\System32\spoolsv.exe[1520] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\System32\spoolsv.exe[1520] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\System32\spoolsv.exe[1520] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\System32\spoolsv.exe[1520] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\System32\spoolsv.exe[1520] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\System32\spoolsv.exe[1520] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\System32\spoolsv.exe[1520] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 716F000A .text C:\Windows\System32\spoolsv.exe[1520] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7172000A .text C:\Windows\system32\svchost.exe[1564] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1564] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\svchost.exe[1564] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1564] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1564] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1564] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1564] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1564] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1564] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1564] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1564] RPCRT4.dll!RpcServerRegisterIfEx 764D0818 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1564] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[1564] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7175000A .text C:\Windows\system32\svchost.exe[1564] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1564] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1564] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1564] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1564] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1564] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [6E, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 7175000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7172000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 7178000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1676] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 716F000A .text C:\Program Files\AVG\Av\avgidsagent.exe[1720] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7172000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 7169000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1736] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 716C000A .text C:\Windows\system32\nvvsvc.exe[1744] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1744] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\nvvsvc.exe[1744] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1744] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\nvvsvc.exe[1744] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\nvvsvc.exe[1744] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\system32\nvvsvc.exe[1744] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\system32\nvvsvc.exe[1744] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1744] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\nvvsvc.exe[1744] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\system32\nvvsvc.exe[1744] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\system32\nvvsvc.exe[1744] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\system32\nvvsvc.exe[1744] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\nvvsvc.exe[1744] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\system32\nvvsvc.exe[1744] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\system32\nvvsvc.exe[1744] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\system32\nvvsvc.exe[1744] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\system32\nvvsvc.exe[1744] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\system32\nvvsvc.exe[1744] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\nvvsvc.exe[1744] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\nvvsvc.exe[1744] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 716F000A .text C:\Windows\system32\nvvsvc.exe[1744] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7172000A .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 716F000A .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[1812] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7172000A .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 716F000A .text C:\Program Files\AVG\Av\avgwdsvcx.exe[1904] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7172000A .text C:\Windows\system32\taskhost.exe[1936] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1936] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\taskhost.exe[1936] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1936] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\taskhost.exe[1936] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskhost.exe[1936] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\system32\taskhost.exe[1936] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\system32\taskhost.exe[1936] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1936] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\taskhost.exe[1936] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\system32\taskhost.exe[1936] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\system32\taskhost.exe[1936] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\system32\taskhost.exe[1936] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\taskhost.exe[1936] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\taskhost.exe[1936] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\system32\taskhost.exe[1936] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\system32\taskhost.exe[1936] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\system32\taskhost.exe[1936] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\system32\taskhost.exe[1936] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\system32\taskhost.exe[1936] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\taskhost.exe[1936] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 716F000A .text C:\Windows\system32\taskhost.exe[1936] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7172000A .text C:\Windows\system32\Dwm.exe[1992] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1992] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\Dwm.exe[1992] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1992] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\Dwm.exe[1992] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\Dwm.exe[1992] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\system32\Dwm.exe[1992] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\system32\Dwm.exe[1992] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1992] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\Dwm.exe[1992] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\system32\Dwm.exe[1992] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\system32\Dwm.exe[1992] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\system32\Dwm.exe[1992] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\Dwm.exe[1992] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\system32\Dwm.exe[1992] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\system32\Dwm.exe[1992] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\system32\Dwm.exe[1992] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\system32\Dwm.exe[1992] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\system32\Dwm.exe[1992] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\Dwm.exe[1992] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\Dwm.exe[1992] Shell32.dll!SHFileOperationW 769F9670 6 Bytes JMP 716F000A .text C:\Windows\system32\Dwm.exe[1992] Shell32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7172000A .text C:\Windows\Explorer.EXE[2024] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2024] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [6E, 71] .text C:\Windows\Explorer.EXE[2024] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2024] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\Explorer.EXE[2024] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\Explorer.EXE[2024] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\Explorer.EXE[2024] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\Explorer.EXE[2024] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2024] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\Explorer.EXE[2024] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\Explorer.EXE[2024] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\Explorer.EXE[2024] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\Explorer.EXE[2024] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\Explorer.EXE[2024] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\Explorer.EXE[2024] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[2024] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\Explorer.EXE[2024] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 7175000A .text C:\Windows\Explorer.EXE[2024] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7172000A .text C:\Windows\Explorer.EXE[2024] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 7178000A .text C:\Windows\Explorer.EXE[2024] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 717B000A .text C:\Windows\Explorer.EXE[2024] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 717E000A .text C:\Windows\Explorer.EXE[2024] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [6E, 71] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 7175000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7172000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 717B000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[2108] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [6E, 71] .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 7175000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7172000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 717B000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2304] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\AVG\Av\avgui.exe[2316] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Av\avgui.exe[2316] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [68, 71] .text C:\Program Files\AVG\Av\avgui.exe[2316] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Av\avgui.exe[2316] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Program Files\AVG\Av\avgui.exe[2316] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Program Files\AVG\Av\avgui.exe[2316] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 717B000A .text C:\Program Files\AVG\Av\avgui.exe[2316] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 7184000A .text C:\Program Files\AVG\Av\avgui.exe[2316] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Av\avgui.exe[2316] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Program Files\AVG\Av\avgui.exe[2316] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 7187000A .text C:\Program Files\AVG\Av\avgui.exe[2316] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7181000A .text C:\Program Files\AVG\Av\avgui.exe[2316] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 717E000A .text C:\Program Files\AVG\Av\avgui.exe[2316] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 718A000A .text C:\Program Files\AVG\Av\avgui.exe[2316] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Program Files\AVG\Av\avgui.exe[2316] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Program Files\AVG\Av\avgui.exe[2316] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Program Files\AVG\Av\avgui.exe[2316] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 716F000A .text C:\Program Files\AVG\Av\avgui.exe[2316] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 716C000A .text C:\Program Files\AVG\Av\avgui.exe[2316] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 7172000A .text C:\Program Files\AVG\Av\avgui.exe[2316] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\AVG\Av\avgui.exe[2316] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 7175000A .text C:\Program Files\AVG\Av\avgui.exe[2316] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [6E, 71] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 7175000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7172000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 717B000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2360] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 717E000A .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [6E, 71] .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 7175000A .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7172000A .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 7178000A .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 717B000A .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 717E000A .text C:\Program Files\AVG\Framework\Common\avguix.exe[2376] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [68, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 717B000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 716F000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 716C000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 7172000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 7175000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2476] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[2652] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2652] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\svchost.exe[2652] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2652] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2652] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[2652] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[2652] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[2652] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2652] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[2652] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[2652] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[2652] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[2652] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[2652] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[2652] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[2652] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[2652] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[2652] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[2652] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[2652] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [6E, 71] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 7175000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7172000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 717B000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2792] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [6E, 71] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 7175000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7172000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 717B000A .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[2804] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 717E000A .text C:\Windows\system32\conhost.exe[2812] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[2812] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\conhost.exe[2812] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[2812] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\conhost.exe[2812] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\conhost.exe[2812] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\system32\conhost.exe[2812] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\system32\conhost.exe[2812] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[2812] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\conhost.exe[2812] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\system32\conhost.exe[2812] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\system32\conhost.exe[2812] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\system32\conhost.exe[2812] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\conhost.exe[2812] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\system32\conhost.exe[2812] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\system32\conhost.exe[2812] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\system32\conhost.exe[2812] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\system32\conhost.exe[2812] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\system32\conhost.exe[2812] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\conhost.exe[2812] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\conhost.exe[2816] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[2816] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\conhost.exe[2816] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[2816] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\conhost.exe[2816] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\conhost.exe[2816] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\system32\conhost.exe[2816] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\system32\conhost.exe[2816] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[2816] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\conhost.exe[2816] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\system32\conhost.exe[2816] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\system32\conhost.exe[2816] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\system32\conhost.exe[2816] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\conhost.exe[2816] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\system32\conhost.exe[2816] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\system32\conhost.exe[2816] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\system32\conhost.exe[2816] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\system32\conhost.exe[2816] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\system32\conhost.exe[2816] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\conhost.exe[2816] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!NtCreateEvent 77C65110 5 Bytes JMP 68F22650 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!NtCreateMutant 77C651B0 5 Bytes JMP 68F228E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!NtCreateSemaphore 77C65260 5 Bytes JMP 68F22B70 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!NtCreateUserProcess 77C652E0 5 Bytes JMP 68F22E00 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!NtMapViewOfSection 77C65790 5 Bytes JMP 68F22360 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!NtOpenEvent 77C65820 5 Bytes JMP 68F227A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!NtOpenMutant 77C658C0 5 Bytes JMP 68F22A30 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!NtOpenSemaphore 77C65940 5 Bytes JMP 68F22CC0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!NtQueryInformationProcess 77C65BB0 5 Bytes JMP 68F230E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!NtResumeThread 77C66010 5 Bytes JMP 68F22520 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!NtWriteVirtualMemory 77C66600 5 Bytes JMP 68F221F0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!RtlQueryEnvironmentVariable 77C7859F 5 Bytes JMP 68F22F80 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ntdll.dll!RtlDecompressBuffer 77CD56BD 5 Bytes JMP 68F22E90 C:\Program Files\AVG\Av\avghookx.dll .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Users\Adam\Desktop\ransomware locky - 18.10.2016\wvrv828i.exe[3068] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!NtCreateEvent 77C65110 5 Bytes JMP 68F22650 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!NtCreateMutant 77C651B0 5 Bytes JMP 68F228E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!NtCreateSemaphore 77C65260 5 Bytes JMP 68F22B70 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!NtCreateUserProcess 77C652E0 5 Bytes JMP 68F22E00 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!NtMapViewOfSection 77C65790 5 Bytes JMP 68F22360 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!NtOpenEvent 77C65820 5 Bytes JMP 68F227A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!NtOpenMutant 77C658C0 5 Bytes JMP 68F22A30 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!NtOpenSemaphore 77C65940 5 Bytes JMP 68F22CC0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!NtQueryInformationProcess 77C65BB0 5 Bytes JMP 68F230E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!NtResumeThread 77C66010 5 Bytes JMP 68F22520 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!NtWriteVirtualMemory 77C66600 5 Bytes JMP 68F221F0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!RtlQueryEnvironmentVariable 77C7859F 5 Bytes JMP 68F22F80 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!RtlDecompressBuffer 77CD56BD 5 Bytes JMP 68F22E90 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[3328] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[3328] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[3328] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3328] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[3328] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[3328] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[3328] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[3328] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[3328] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[3328] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[3328] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[3328] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[3328] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[3328] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[3328] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!NtCreateEvent 77C65110 5 Bytes JMP 68F22650 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!NtCreateMutant 77C651B0 5 Bytes JMP 68F228E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!NtCreateSemaphore 77C65260 5 Bytes JMP 68F22B70 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!NtCreateUserProcess 77C652E0 5 Bytes JMP 68F22E00 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!NtMapViewOfSection 77C65790 5 Bytes JMP 68F22360 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!NtOpenEvent 77C65820 5 Bytes JMP 68F227A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!NtOpenMutant 77C658C0 5 Bytes JMP 68F22A30 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!NtOpenSemaphore 77C65940 5 Bytes JMP 68F22CC0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!NtQueryInformationProcess 77C65BB0 5 Bytes JMP 68F230E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!NtResumeThread 77C66010 5 Bytes JMP 68F22520 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!NtWriteVirtualMemory 77C66600 5 Bytes JMP 68F221F0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!RtlQueryEnvironmentVariable 77C7859F 5 Bytes JMP 68F22F80 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ntdll.dll!RtlDecompressBuffer 77CD56BD 5 Bytes JMP 68F22E90 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgemcx.exe[3592] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Program Files\AVG\Av\avgemcx.exe[3592] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Program Files\AVG\Av\avgemcx.exe[3592] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\Av\avgemcx.exe[3592] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Program Files\AVG\Av\avgemcx.exe[3592] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Program Files\AVG\Av\avgemcx.exe[3592] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Program Files\AVG\Av\avgemcx.exe[3592] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Program Files\AVG\Av\avgemcx.exe[3592] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Program Files\AVG\Av\avgemcx.exe[3592] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Program Files\AVG\Av\avgemcx.exe[3592] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Program Files\AVG\Av\avgemcx.exe[3592] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Program Files\AVG\Av\avgemcx.exe[3592] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Program Files\AVG\Av\avgemcx.exe[3592] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Program Files\AVG\Av\avgemcx.exe[3592] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Program Files\AVG\Av\avgemcx.exe[3592] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4044] ntdll.dll!NtAllocateVirtualMemory 77C64E40 5 Bytes JMP 00F42910 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4044] ntdll.dll!NtCreateEvent 77C65110 5 Bytes JMP 68F22650 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4044] ntdll.dll!NtCreateFile 77C65130 5 Bytes JMP 00F426C0 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4044] ntdll.dll!NtCreateMutant 77C651B0 5 Bytes JMP 68F228E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4044] ntdll.dll!NtCreateSemaphore 77C65260 5 Bytes JMP 68F22B70 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4044] ntdll.dll!NtCreateUserProcess 77C652E0 5 Bytes JMP 68F22E00 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4044] ntdll.dll!NtMapViewOfSection 77C65790 5 Bytes JMP 68F22360 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4044] ntdll.dll!NtOpenEvent 77C65820 5 Bytes JMP 68F227A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4044] ntdll.dll!NtOpenFile 77C65840 5 Bytes JMP 00F425D0 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4044] ntdll.dll!NtOpenMutant 77C658C0 5 Bytes JMP 68F22A30 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4044] ntdll.dll!NtOpenSemaphore 77C65940 5 Bytes JMP 68F22CC0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4044] ntdll.dll!NtQueryInformationProcess 77C65BB0 5 Bytes JMP 68F230E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4044] ntdll.dll!NtResumeThread 77C66010 5 Bytes JMP 68F22520 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4044] ntdll.dll!NtWriteVirtualMemory 77C66600 5 Bytes JMP 68F221F0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4044] ntdll.dll!RtlQueryEnvironmentVariable 77C7859F 5 Bytes JMP 68F22F80 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4044] ntdll.dll!RtlDecompressBuffer 77CD56BD 5 Bytes JMP 68F22E90 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgrsx.exe[4068] ntdll.dll!NtCreateEvent 77C65110 5 Bytes JMP 68F22650 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgrsx.exe[4068] ntdll.dll!NtCreateMutant 77C651B0 5 Bytes JMP 68F228E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgrsx.exe[4068] ntdll.dll!NtCreateSemaphore 77C65260 5 Bytes JMP 68F22B70 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgrsx.exe[4068] ntdll.dll!NtCreateUserProcess 77C652E0 5 Bytes JMP 68F22E00 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgrsx.exe[4068] ntdll.dll!NtMapViewOfSection 77C65790 5 Bytes JMP 68F22360 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgrsx.exe[4068] ntdll.dll!NtOpenEvent 77C65820 5 Bytes JMP 68F227A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgrsx.exe[4068] ntdll.dll!NtOpenMutant 77C658C0 5 Bytes JMP 68F22A30 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgrsx.exe[4068] ntdll.dll!NtOpenSemaphore 77C65940 5 Bytes JMP 68F22CC0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgrsx.exe[4068] ntdll.dll!NtQueryInformationProcess 77C65BB0 5 Bytes JMP 68F230E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgrsx.exe[4068] ntdll.dll!NtResumeThread 77C66010 5 Bytes JMP 68F22520 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgrsx.exe[4068] ntdll.dll!NtWriteVirtualMemory 77C66600 5 Bytes JMP 68F221F0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgrsx.exe[4068] ntdll.dll!RtlQueryEnvironmentVariable 77C7859F 5 Bytes JMP 68F22F80 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\AVG\Av\avgrsx.exe[4068] ntdll.dll!RtlDecompressBuffer 77CD56BD 5 Bytes JMP 68F22E90 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!NtCreateEvent 77C65110 5 Bytes JMP 68F22650 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!NtCreateMutant 77C651B0 5 Bytes JMP 68F228E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!NtCreateSemaphore 77C65260 5 Bytes JMP 68F22B70 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!NtCreateUserProcess 77C652E0 5 Bytes JMP 68F22E00 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!NtMapViewOfSection 77C65790 5 Bytes JMP 68F22360 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!NtOpenEvent 77C65820 5 Bytes JMP 68F227A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!NtOpenMutant 77C658C0 5 Bytes JMP 68F22A30 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!NtOpenSemaphore 77C65940 5 Bytes JMP 68F22CC0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!NtQueryInformationProcess 77C65BB0 5 Bytes JMP 68F230E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!NtResumeThread 77C66010 5 Bytes JMP 68F22520 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!NtWriteVirtualMemory 77C66600 5 Bytes JMP 68F221F0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!RtlQueryEnvironmentVariable 77C7859F 5 Bytes JMP 68F22F80 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ntdll.dll!RtlDecompressBuffer 77CD56BD 5 Bytes JMP 68F22E90 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 716F000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4164] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7172000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4308] ntdll.dll!NtAllocateVirtualMemory 77C64E40 5 Bytes JMP 013713A0 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4308] ntdll.dll!NtCreateEvent 77C65110 5 Bytes JMP 68F22650 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4308] ntdll.dll!NtCreateMutant 77C651B0 5 Bytes JMP 68F228E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4308] ntdll.dll!NtCreateSemaphore 77C65260 5 Bytes JMP 68F22B70 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4308] ntdll.dll!NtCreateUserProcess 77C652E0 5 Bytes JMP 68F22E00 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4308] ntdll.dll!NtMapViewOfSection 77C65790 5 Bytes JMP 68F22360 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4308] ntdll.dll!NtOpenEvent 77C65820 5 Bytes JMP 68F227A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4308] ntdll.dll!NtOpenMutant 77C658C0 5 Bytes JMP 68F22A30 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4308] ntdll.dll!NtOpenSemaphore 77C65940 5 Bytes JMP 68F22CC0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4308] ntdll.dll!NtQueryInformationProcess 77C65BB0 5 Bytes JMP 68F230E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4308] ntdll.dll!NtResumeThread 77C66010 5 Bytes JMP 68F22520 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4308] ntdll.dll!NtWriteVirtualMemory 77C66600 5 Bytes JMP 68F221F0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4308] ntdll.dll!RtlQueryEnvironmentVariable 77C7859F 5 Bytes JMP 68F22F80 C:\Program Files\AVG\Av\avghookx.dll .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[4308] ntdll.dll!RtlDecompressBuffer 77CD56BD 5 Bytes JMP 68F22E90 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!NtCreateEvent 77C65110 5 Bytes JMP 68F22650 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!NtCreateMutant 77C651B0 5 Bytes JMP 68F228E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!NtCreateSemaphore 77C65260 5 Bytes JMP 68F22B70 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!NtCreateUserProcess 77C652E0 5 Bytes JMP 68F22E00 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!NtMapViewOfSection 77C65790 5 Bytes JMP 68F22360 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!NtOpenEvent 77C65820 5 Bytes JMP 68F227A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!NtOpenMutant 77C658C0 5 Bytes JMP 68F22A30 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!NtOpenSemaphore 77C65940 5 Bytes JMP 68F22CC0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!NtQueryInformationProcess 77C65BB0 5 Bytes JMP 68F230E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!NtResumeThread 77C66010 5 Bytes JMP 68F22520 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!NtWriteVirtualMemory 77C66600 5 Bytes JMP 68F221F0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!RtlQueryEnvironmentVariable 77C7859F 5 Bytes JMP 68F22F80 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\system32\wuauclt.exe[4588] ntdll.dll!RtlDecompressBuffer 77CD56BD 5 Bytes JMP 68F22E90 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\wuauclt.exe[4588] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\system32\wuauclt.exe[4588] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\system32\wuauclt.exe[4588] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wuauclt.exe[4588] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\wuauclt.exe[4588] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\system32\wuauclt.exe[4588] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\system32\wuauclt.exe[4588] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\system32\wuauclt.exe[4588] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\system32\wuauclt.exe[4588] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\wuauclt.exe[4588] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\system32\wuauclt.exe[4588] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\system32\wuauclt.exe[4588] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\system32\wuauclt.exe[4588] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\system32\wuauclt.exe[4588] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\system32\wuauclt.exe[4588] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\wuauclt.exe[4588] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 716F000A .text C:\Windows\system32\wuauclt.exe[4588] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7172000A .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!NtCreateEvent 77C65110 5 Bytes JMP 68F22650 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!NtCreateMutant 77C651B0 5 Bytes JMP 68F228E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!NtCreateSemaphore 77C65260 5 Bytes JMP 68F22B70 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!NtCreateUserProcess 77C652E0 5 Bytes JMP 68F22E00 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!NtMapViewOfSection 77C65790 5 Bytes JMP 68F22360 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!NtOpenEvent 77C65820 5 Bytes JMP 68F227A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!NtOpenMutant 77C658C0 5 Bytes JMP 68F22A30 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!NtOpenSemaphore 77C65940 5 Bytes JMP 68F22CC0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!NtQueryInformationProcess 77C65BB0 5 Bytes JMP 68F230E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!NtResumeThread 77C66010 5 Bytes JMP 68F22520 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!NtWriteVirtualMemory 77C66600 5 Bytes JMP 68F221F0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!RtlQueryEnvironmentVariable 77C7859F 5 Bytes JMP 68F22F80 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[5044] ntdll.dll!RtlDecompressBuffer 77CD56BD 5 Bytes JMP 68F22E90 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\System32\svchost.exe[5044] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[5044] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[5044] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[5044] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\System32\svchost.exe[5044] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[5044] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[5044] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[5044] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717B000A .text C:\Windows\System32\svchost.exe[5044] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7178000A .text C:\Windows\System32\svchost.exe[5044] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[5044] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[5044] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[5044] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[5044] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[5044] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[5044] SHELL32.dll!SHFileOperationW 769F9670 6 Bytes JMP 716F000A .text C:\Windows\System32\svchost.exe[5044] SHELL32.dll!SHFileOperation 76BFC509 6 Bytes JMP 7172000A .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtAlpcConnectPort 77C64E70 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtAlpcConnectPort + 4 77C64E74 2 Bytes [60, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtAlpcCreatePort 77C64E80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtAlpcCreatePort + 4 77C64E84 2 Bytes [63, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [5D, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtClose + 4 77C65034 2 Bytes [12, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtConnectPort 77C650C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtConnectPort + 4 77C650C4 2 Bytes [30, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtCreateEvent 77C65110 5 Bytes JMP 68F22650 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtCreateEventPair 77C65120 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtCreateEventPair + 4 77C65124 2 Bytes [44, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtCreateFile 77C65130 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtCreateFile + 4 77C65134 2 Bytes [21, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtCreateMutant 77C651B0 5 Bytes JMP 68F228E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtCreateNamedPipeFile 77C651C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtCreateNamedPipeFile + 4 77C651C4 2 Bytes [24, 71] {AND AL, 0x71} .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtCreatePort 77C651E0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtCreatePort + 4 77C651E4 2 Bytes [36, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtCreateSection 77C65250 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtCreateSection + 4 77C65254 2 Bytes [2A, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtCreateSemaphore 77C65260 5 Bytes JMP 68F22B70 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtCreateUserProcess 77C652E0 5 Bytes JMP 68F22E00 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtCreateWaitablePort 77C652F0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtCreateWaitablePort + 4 77C652F4 2 Bytes [2D, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtFsControlFile 77C65570 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtFsControlFile + 4 77C65574 2 Bytes [18, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtMapViewOfSection 77C65790 5 Bytes JMP 68F22360 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtOpenEvent 77C65820 5 Bytes JMP 68F227A0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtOpenEventPair 77C65830 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtOpenEventPair + 4 77C65834 2 Bytes [41, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtOpenFile 77C65840 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtOpenFile + 4 77C65844 2 Bytes [1E, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtOpenMutant 77C658C0 5 Bytes JMP 68F22A30 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtOpenSection 77C65930 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtOpenSection + 4 77C65934 2 Bytes [27, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtOpenSemaphore 77C65940 5 Bytes JMP 68F22CC0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtQueryInformationProcess 77C65BB0 5 Bytes JMP 68F230E0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtQueryVirtualMemory 77C65DC0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtQueryVirtualMemory + 4 77C65DC4 2 Bytes [1B, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtReplyPort 77C65F70 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtReplyPort + 4 77C65F74 2 Bytes [57, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtRequestWaitReplyPort 77C65FC0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtRequestWaitReplyPort + 4 77C65FC4 2 Bytes [5A, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtResumeThread 77C66010 5 Bytes JMP 68F22520 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtSecureConnectPort 77C66090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtSecureConnectPort + 4 77C66094 2 Bytes [33, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtSetSystemTime 77C66310 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtSetSystemTime + 4 77C66314 2 Bytes [15, 71] .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!NtWriteVirtualMemory 77C66600 5 Bytes JMP 68F221F0 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!RtlQueryEnvironmentVariable 77C7859F 5 Bytes JMP 68F22F80 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 7110000A .text C:\Windows\system32\svchost.exe[5052] ntdll.dll!RtlDecompressBuffer 77CD56BD 5 Bytes JMP 68F22E90 C:\Program Files\AVG\Av\avghookx.dll .text C:\Windows\system32\svchost.exe[5052] kernel32.dll!GetPrivateProfileStringW 767C818B 6 Bytes JMP 71AB000A .text C:\Windows\system32\svchost.exe[5052] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 708B000A .text C:\Windows\system32\svchost.exe[5052] kernel32.dll!GetPrivateProfileStringA 767CE099 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[5052] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 7094000A .text C:\Windows\system32\svchost.exe[5052] kernel32.dll!RegOpenKeyExW 767DD121 6 Bytes JMP 7188000A .text C:\Windows\system32\svchost.exe[5052] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [AB, 70] .text C:\Windows\system32\svchost.exe[5052] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 7097000A .text C:\Windows\system32\svchost.exe[5052] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7091000A .text C:\Windows\system32\svchost.exe[5052] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 708E000A .text C:\Windows\system32\svchost.exe[5052] RPCRT4.dll!RpcServerRegisterIfEx 764D0818 6 Bytes JMP 70A6000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!RegisterClassExA 7687629B 6 Bytes JMP 70FE000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!FindWindowExA 76876F71 6 Bytes JMP 70C8000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!GetClassInfoExA 76876FE1 6 Bytes JMP 70F2000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!GetClassInfoA 7687714C 6 Bytes JMP 70EC000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!UnregisterClassA 76878D38 6 Bytes JMP 70F8000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!FindWindowA 76878FC1 6 Bytes JMP 70C2000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!SetLayeredWindowAttributes 7687A6AC 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] USER32.dll!SetLayeredWindowAttributes + 4 7687A6B0 2 Bytes [87, 70] .text C:\Windows\system32\svchost.exe[5052] USER32.dll!FindWindowW 7687ADDD 6 Bytes JMP 70C5000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!EnumDesktopWindows 7687B497 6 Bytes JMP 70B6000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!EnumThreadWindows 7687B6E2 6 Bytes JMP 70BC000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!UnregisterClassW 7687B97E 6 Bytes JMP 70FB000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!RegisterClassA 7687BC3A 6 Bytes JMP 7104000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!CreateWindowExA 7687BF10 6 Bytes JMP 70E0000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 7070000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!CreateWindowExW 7687EC4C 6 Bytes JMP 70E3000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!RegisterClassW 7687ED1A 6 Bytes JMP 7107000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!RegisterClassExW 76880132 6 Bytes JMP 7101000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!GetClassInfoExW 7688092E 6 Bytes JMP 70F5000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!GetClassInfoW 76880A97 6 Bytes JMP 70EF000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 706D000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!EnumChildWindows 76882920 6 Bytes JMP 70B9000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!GetClassNameW 76882A01 6 Bytes JMP 70E9000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!GetShellWindow 76882FA3 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[5052] USER32.dll!GetShellWindow + 4 76882FA7 2 Bytes [9F, 71] .text C:\Windows\system32\svchost.exe[5052] USER32.dll!EnumWindows 76883733 6 Bytes JMP 70BF000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!CreateDialogParamA 76891F12 6 Bytes JMP 70D7000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!DialogBoxParamW 76893B6B 6 Bytes JMP 70D4000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!CreateDialogIndirectParamA 768971ED 6 Bytes JMP 7080000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!CreateDialogIndirectParamW 7689E9E0 6 Bytes JMP 7083000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!GetClassNameA 768A2415 6 Bytes JMP 70E6000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!DialogBoxIndirectParamAorW 768A3B10 6 Bytes JMP 70CE000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!DialogBoxIndirectParamW 768A3B4F 6 Bytes JMP 707B000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!CreateDialogIndirectParamAorW 768A52F7 6 Bytes JMP 70DD000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!CreateDialogParamW 768A5600 6 Bytes JMP 70DA000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 7073000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!FindWindowExW 768A70FB 6 Bytes JMP 70CB000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!DialogBoxParamA 768BCFB8 6 Bytes JMP 70D1000A .text C:\Windows\system32\svchost.exe[5052] USER32.dll!DialogBoxIndirectParamA 768BD2EA 6 Bytes JMP 7078000A .text C:\Windows\system32\svchost.exe[5052] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 709A000A .text C:\Windows\system32\svchost.exe[5052] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 70A3000A .text C:\Windows\system32\svchost.exe[5052] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 70A0000A .text C:\Windows\system32\svchost.exe[5052] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 709D000A .text C:\Windows\system32\svchost.exe[5052] ADVAPI32.dll!StartServiceCtrlDispatcherW 765CA8E5 6 Bytes JMP 719D000A .text C:\Windows\system32\svchost.exe[5052] ADVAPI32.dll!RegisterServiceCtrlHandlerW 765CA8FD 6 Bytes JMP 718E000A .text C:\Windows\system32\svchost.exe[5052] ADVAPI32.dll!RegisterServiceCtrlHandlerExW 765CA92D 6 Bytes JMP 7197000A .text C:\Windows\system32\svchost.exe[5052] ADVAPI32.dll!SetServiceStatus 765CC726 6 Bytes JMP 718B000A .text C:\Windows\system32\svchost.exe[5052] ADVAPI32.dll!RegisterServiceCtrlHandlerA 7660377F 6 Bytes JMP 7191000A .text C:\Windows\system32\svchost.exe[5052] ADVAPI32.dll!RegisterServiceCtrlHandlerExA 7660378F 6 Bytes JMP 7194000A .text C:\Windows\system32\svchost.exe[5052] ADVAPI32.dll!StartServiceCtrlDispatcherA 7660380F 6 Bytes JMP 719A000A .text C:\Windows\system32\svchost.exe[5052] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 70A9000A .text C:\Windows\system32\AUDIODG.EXE[5988] ntdll.dll!NtAlpcSendWaitReceivePort 77C64F80 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[5988] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C64F84 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\AUDIODG.EXE[5988] ntdll.dll!NtClose 77C65030 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[5988] ntdll.dll!NtClose + 4 77C65034 2 Bytes [AE, 71] .text C:\Windows\system32\AUDIODG.EXE[5988] ntdll.dll!LdrUnloadDll 77C7C716 6 Bytes JMP 71A7001E .text C:\Windows\system32\AUDIODG.EXE[5988] kernel32.dll!CopyFileExW 767CB440 6 Bytes JMP 7180001E .text C:\Windows\system32\AUDIODG.EXE[5988] kernel32.dll!MoveFileWithProgressW 767D8F94 6 Bytes JMP 7189001E .text C:\Windows\system32\AUDIODG.EXE[5988] kernel32.dll!CreateProcessInternalW 767E0952 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[5988] kernel32.dll!CreateProcessInternalW + 4 767E0956 2 Bytes [9E, 71] .text C:\Windows\system32\AUDIODG.EXE[5988] kernel32.dll!MoveFileWithProgressA 767F4198 6 Bytes JMP 718C001E .text C:\Windows\system32\AUDIODG.EXE[5988] kernel32.dll!MoveFileTransactedA 7681C48E 6 Bytes JMP 7186001E .text C:\Windows\system32\AUDIODG.EXE[5988] kernel32.dll!MoveFileTransactedW 7681C531 6 Bytes JMP 7183001E .text C:\Windows\system32\AUDIODG.EXE[5988] USER32.dll!SetWindowsHookExW 7687E2DC 6 Bytes JMP 717A001E .text C:\Windows\system32\AUDIODG.EXE[5988] USER32.dll!SetWinEventHook 768824B4 6 Bytes JMP 7177001E .text C:\Windows\system32\AUDIODG.EXE[5988] USER32.dll!SetWindowsHookExA 768A6CDC 6 Bytes JMP 717D001E .text C:\Windows\system32\AUDIODG.EXE[5988] GDI32.dll!DeleteDC 76746EAA 6 Bytes JMP 718F001E .text C:\Windows\system32\AUDIODG.EXE[5988] GDI32.dll!CreateDCA 76749BED 6 Bytes JMP 7198001E .text C:\Windows\system32\AUDIODG.EXE[5988] GDI32.dll!CreateDCW 7674C7CD 6 Bytes JMP 7195001E .text C:\Windows\system32\AUDIODG.EXE[5988] GDI32.dll!GetPixel 7674CE87 6 Bytes JMP 7192001E .text C:\Windows\system32\AUDIODG.EXE[5988] ole32.dll!CoCreateInstance 76009CBB 6 Bytes JMP 719B001E ---- Devices - GMER 2.2 ---- AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Diagtrack@LastHeartBeatTime 0x35 0xD0 0xD4 0x64 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Diagtrack\SettingsRequests\telemetry.ASM-WindowsDefault@LastDownloadTime 0x35 0xD0 0xD4 0x64 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Diagtrack\SettingsRequests\utc.app@LastDownloadTime 0x35 0xD0 0xD4 0x64 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xEB 0x10 0xA0 0x37 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\sdiagnhost.exe 0xBA 0xF6 0xBA 0xE6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0xA2 0x06 0xB4 0xEF ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 0x99 0xF7 0xF7 0xA1 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Nitro PDF\PrimoPDF\PrimoPDF.exe 0x16 0x3E 0x29 0x95 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\mmc.exe 0x1F 0xE3 0x30 0x3F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xC3 0x4A 0x49 0x36 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\rundll32.exe 0x17 0x4D 0x6B 0xC4 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\aitstatic.exe 0x0A 0xB3 0x0C 0xC1 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0xE4 0xDF 0x97 0xCE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\GFExperience.exe 0xDA 0xCC 0x25 0xAF ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\msiexec.exe 0x8E 0xEC 0x1B 0xF9 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\CompatTelRunner.exe 0x1F 0x0B 0x3C 0xB7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\AVG\Av\avgmfapx.exe 0x4F 0x49 0x35 0x7C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Users\Adam\Desktop\naprawa komputerow - zhackowana strona\u7lcxphk.exe 0xD5 0xB3 0xD2 0xB3 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\mmc.exe 0xAE 0x61 0x83 0x58 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@E6C0BDC9 1312 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Superfetch@VirtualStoreSize 1467 ---- EOF - GMER 2.2 ----