GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-09 11:12:13 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHW2080BH_PL rev.891F 74,53GB Running: ct4hn72d.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x8D01D50E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x8D01D91A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcCreatePort [0x8D01D8C8] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwConnectPort [0x8D01C754] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateEvent [0x8D01B82A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateEventPair [0x8D01B882] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateFile [0x8D01D13C] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateMutant [0x8D01B7D4] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreatePort [0x8D01B77C] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSection [0x8D01CE58] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSemaphore [0x8D01B8D4] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x8D01E7AC] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThread [0x8D01C0FE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThreadEx [0x8D01DB64] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwLoadDriver [0x8D01E1B2] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x8D01CA2C] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenFile [0x8D01D334] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenSection [0x8D01CCE0] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetInformationProcess [0x8D01D702] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0x8D01E4B2] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x8D01C9A2] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0x8D01CBCC] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateProcess [0x8D01C534] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateThread [0x8D01C302] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRenameKey + 1549 82C5BF05 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C96292 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 82C9D69C 4 Bytes [0E, D5, 01, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82C9D6C4 8 Bytes [1A, D9, 01, 8D, C8, D8, 01, ...] {SBB BL, CL; ADD [EBP-0x72fe2738], ECX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 82C9D758 4 Bytes [54, C7, 01, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82C9D76C 12 Bytes [2A, B8, 01, 8D, 82, B8, 01, ...] {SUB BH, [EAX-0x477d72ff]; ADD [EBP-0x72fe2ec4], ECX} .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82C9D794 4 Bytes [D4, B7, 01, 8D] .text ... ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\agrsmsvc.exe[360] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\agrsmsvc.exe[360] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\agrsmsvc.exe[360] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\agrsmsvc.exe[360] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\agrsmsvc.exe[360] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\agrsmsvc.exe[360] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\system32\agrsmsvc.exe[360] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\system32\agrsmsvc.exe[360] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\agrsmsvc.exe[360] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\agrsmsvc.exe[360] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\system32\agrsmsvc.exe[360] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\system32\agrsmsvc.exe[360] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\system32\agrsmsvc.exe[360] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\system32\agrsmsvc.exe[360] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\system32\agrsmsvc.exe[360] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\agrsmsvc.exe[360] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\agrsmsvc.exe[360] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\system32\agrsmsvc.exe[360] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\system32\agrsmsvc.exe[360] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\system32\agrsmsvc.exe[360] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\csrss.exe[400] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 5 Bytes JMP 74E02200 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[400] ntdll.dll!NtReplyWaitReceivePort 76F55FE0 5 Bytes JMP 74E018F0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[400] ntdll.dll!NtReplyWaitReceivePortEx 76F55FF0 5 Bytes JMP 74E01D70 C:\Windows\system32\cmdcsr.dll .text C:\Windows\System32\svchost.exe[420] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[420] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\System32\svchost.exe[420] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[420] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[420] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[420] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[420] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[420] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[420] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\System32\svchost.exe[420] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[420] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[420] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[420] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\System32\svchost.exe[420] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\System32\svchost.exe[420] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[420] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[420] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[420] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[420] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[420] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\csrss.exe[468] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 5 Bytes JMP 74E02200 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[468] ntdll.dll!NtReplyWaitReceivePort 76F55FE0 5 Bytes JMP 74E018F0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[468] ntdll.dll!NtReplyWaitReceivePortEx 76F55FF0 5 Bytes JMP 74E01D70 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\svchost.exe[472] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[472] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\svchost.exe[472] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[472] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[472] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[472] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[472] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[472] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[472] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[472] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[472] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[472] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[472] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[472] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[472] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[472] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[472] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[472] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[472] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[472] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\services.exe[528] services.exe 00B91608 4 Bytes [30, 9D, C4, 74] .text C:\Windows\system32\services.exe[528] services.exe 00B91618 4 Bytes [10, A1, C4, 74] .text C:\Windows\system32\services.exe[528] services.exe 00B91638 4 Bytes [90, 9A, C4, 74] .text C:\Windows\system32\services.exe[528] services.exe 00B91648 4 Bytes [30, 9F, C4, 74] .text C:\Windows\system32\services.exe[528] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[528] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\services.exe[528] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[528] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\services.exe[528] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\services.exe[528] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 717E000A .text C:\Windows\system32\services.exe[528] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 7187000A .text C:\Windows\system32\services.exe[528] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[528] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\services.exe[528] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718A000A .text C:\Windows\system32\services.exe[528] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7184000A .text C:\Windows\system32\services.exe[528] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7181000A .text C:\Windows\system32\services.exe[528] RPCRT4.dll!RpcServerRegisterIfEx 753A0818 6 Bytes JMP 7199000A .text C:\Windows\system32\services.exe[528] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7178000A .text C:\Windows\system32\services.exe[528] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7175000A .text C:\Windows\system32\services.exe[528] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717B000A .text C:\Windows\system32\services.exe[528] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 718D000A .text C:\Windows\system32\services.exe[528] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7196000A .text C:\Windows\system32\services.exe[528] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7193000A .text C:\Windows\system32\services.exe[528] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7190000A .text C:\Windows\system32\services.exe[528] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\lsass.exe[540] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[540] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\lsass.exe[540] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[540] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\lsass.exe[540] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsass.exe[540] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\system32\lsass.exe[540] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\system32\lsass.exe[540] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[540] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\lsass.exe[540] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\system32\lsass.exe[540] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\system32\lsass.exe[540] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\system32\lsass.exe[540] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\system32\lsass.exe[540] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\system32\lsass.exe[540] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\lsass.exe[540] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\lsass.exe[540] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\system32\lsass.exe[540] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\system32\lsass.exe[540] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\system32\lsass.exe[540] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\lsm.exe[548] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[548] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\lsm.exe[548] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[548] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\lsm.exe[548] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsm.exe[548] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\system32\lsm.exe[548] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\system32\lsm.exe[548] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[548] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\lsm.exe[548] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\system32\lsm.exe[548] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\system32\lsm.exe[548] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\system32\lsm.exe[548] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\system32\lsm.exe[548] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\system32\lsm.exe[548] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\lsm.exe[548] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\lsm.exe[548] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\system32\lsm.exe[548] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\system32\lsm.exe[548] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\system32\lsm.exe[548] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[696] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[696] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\svchost.exe[696] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[696] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[696] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[696] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[696] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[696] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[696] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[696] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[696] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[696] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[696] RPCRT4.dll!RpcServerRegisterIfEx 753A0818 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[696] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[696] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7175000A .text C:\Windows\system32\svchost.exe[696] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[696] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[696] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[696] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[696] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[696] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[772] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[772] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[772] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[772] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[772] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[772] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[772] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[772] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[772] RPCRT4.dll!RpcServerRegisterIfEx 753A0818 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[772] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[772] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7175000A .text C:\Windows\system32\svchost.exe[772] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[772] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[772] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[772] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[772] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[772] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[772] rpcss.dll!CoGetComCatalog 742B35EC 3 Bytes [70, 92, C4] .text C:\Windows\system32\svchost.exe[772] rpcss.dll!CoGetComCatalog 742B35F0 3 Bytes [30, 90, C4] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[820] ntdll.dll!NtAllocateVirtualMemory 76F54EA0 5 Bytes JMP 003AE6A0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[820] ntdll.dll!NtCreateFile 76F55190 5 Bytes JMP 004576C0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[820] ntdll.dll!NtOpenFile 76F558A0 5 Bytes JMP 004575D0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Windows\system32\svchost.exe[904] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[904] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\svchost.exe[904] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[904] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[904] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[904] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[904] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[904] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[904] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[904] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[904] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[904] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[904] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[904] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[904] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[904] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[904] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[904] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[948] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[948] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\System32\svchost.exe[948] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[948] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[948] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[948] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[948] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[948] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[948] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\System32\svchost.exe[948] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[948] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[948] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[948] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\System32\svchost.exe[948] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\System32\svchost.exe[948] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[948] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[948] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[948] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[948] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[948] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1004] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1004] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\System32\svchost.exe[1004] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1004] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1004] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1004] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1004] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1004] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1004] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\System32\svchost.exe[1004] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1004] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1004] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1004] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\System32\svchost.exe[1004] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\System32\svchost.exe[1004] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1004] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1004] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1004] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1004] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1004] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1004] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 716F000A .text C:\Windows\System32\svchost.exe[1004] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 7172000A .text C:\Windows\system32\svchost.exe[1036] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1036] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\svchost.exe[1036] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1036] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1036] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1036] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1036] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1036] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1036] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1036] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1036] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1036] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1036] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1036] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1036] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1036] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1036] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1068] RPCRT4.dll!RpcServerRegisterIfEx 753A0818 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1068] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[1068] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7175000A .text C:\Windows\system32\svchost.exe[1068] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1068] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1068] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1068] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1068] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1068] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1068] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 716C000A .text C:\Windows\system32\svchost.exe[1068] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 716F000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [6E, 71] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtCreateFile + 6 76F55196 4 Bytes [28, F8, CB, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtCreateFile + B 76F5519B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtMapViewOfSection + 6 76F557F6 4 Bytes [28, FB, CB, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtMapViewOfSection + B 76F557FB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtOpenFile + 6 76F558A6 4 Bytes [68, F8, CB, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtOpenFile + B 76F558AB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtOpenProcess + 6 76F55956 4 Bytes [A8, F9, CB, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtOpenProcess + B 76F5595B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtOpenProcessToken + 6 76F55966 4 Bytes CALL 75F62564 C:\Windows\system32\USER32.dll .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtOpenProcessToken + B 76F5596B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtOpenProcessTokenEx + 6 76F55976 4 Bytes [A8, FA, CB, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtOpenProcessTokenEx + B 76F5597B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtOpenThread + 6 76F559D6 4 Bytes [68, F9, CB, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtOpenThread + B 76F559DB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtOpenThreadToken + 6 76F559E6 4 Bytes [68, FA, CB, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtOpenThreadToken + B 76F559EB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtOpenThreadTokenEx + 6 76F559F6 4 Bytes CALL 75F625F5 C:\Windows\system32\USER32.dll .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtOpenThreadTokenEx + B 76F559FB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtQueryAttributesFile + 6 76F55B06 4 Bytes [A8, F8, CB, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtQueryAttributesFile + B 76F55B0B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtQueryFullAttributesFile + 6 76F55BB6 4 Bytes CALL 75F627B3 C:\Windows\system32\USER32.dll .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtQueryFullAttributesFile + B 76F55BBB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtSetInformationFile + 6 76F56206 4 Bytes [28, F9, CB, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtSetInformationFile + B 76F5620B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtSetInformationThread + 6 76F56266 4 Bytes [28, FA, CB, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtSetInformationThread + B 76F5626B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtUnmapViewOfSection + 6 76F56586 4 Bytes [68, FB, CB, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!NtUnmapViewOfSection + B 76F5658B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7175000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7172000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 7178000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 717B000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 717E000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1096] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [6E, 71] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7175000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7172000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 7178000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 717B000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 717E000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1224] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\System32\spoolsv.exe[1424] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1424] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\System32\spoolsv.exe[1424] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1424] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\System32\spoolsv.exe[1424] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\System32\spoolsv.exe[1424] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\System32\spoolsv.exe[1424] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\System32\spoolsv.exe[1424] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1424] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\System32\spoolsv.exe[1424] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\System32\spoolsv.exe[1424] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\System32\spoolsv.exe[1424] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\System32\spoolsv.exe[1424] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\System32\spoolsv.exe[1424] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\System32\spoolsv.exe[1424] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\System32\spoolsv.exe[1424] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\System32\spoolsv.exe[1424] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\System32\spoolsv.exe[1424] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\System32\spoolsv.exe[1424] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\System32\spoolsv.exe[1424] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1468] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1468] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\svchost.exe[1468] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1468] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1468] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1468] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1468] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1468] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1468] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1468] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1468] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1468] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1468] RPCRT4.dll!RpcServerRegisterIfEx 753A0818 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1468] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[1468] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7175000A .text C:\Windows\system32\svchost.exe[1468] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1468] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1468] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1468] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1468] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1468] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\Explorer.EXE[1588] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1588] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [6E, 71] .text C:\Windows\Explorer.EXE[1588] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1588] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\Explorer.EXE[1588] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\Explorer.EXE[1588] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\Explorer.EXE[1588] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\Explorer.EXE[1588] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1588] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\Explorer.EXE[1588] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\Explorer.EXE[1588] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\Explorer.EXE[1588] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\Explorer.EXE[1588] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\Explorer.EXE[1588] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\Explorer.EXE[1588] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[1588] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\Explorer.EXE[1588] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7175000A .text C:\Windows\Explorer.EXE[1588] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7172000A .text C:\Windows\Explorer.EXE[1588] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 7178000A .text C:\Windows\Explorer.EXE[1588] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 717B000A .text C:\Windows\Explorer.EXE[1588] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 717E000A .text C:\Windows\Explorer.EXE[1588] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1596] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1596] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\svchost.exe[1596] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1596] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1596] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1596] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1596] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1596] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1596] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1596] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1596] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1596] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1596] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1596] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[1596] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1596] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1596] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1596] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1596] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1596] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1596] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 716F000A .text C:\Windows\system32\svchost.exe[1596] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 7172000A .text C:\Windows\system32\Dwm.exe[1656] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1656] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\Dwm.exe[1656] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1656] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\Dwm.exe[1656] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\Dwm.exe[1656] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\system32\Dwm.exe[1656] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\system32\Dwm.exe[1656] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1656] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\Dwm.exe[1656] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\system32\Dwm.exe[1656] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\system32\Dwm.exe[1656] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\system32\Dwm.exe[1656] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\Dwm.exe[1656] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\system32\Dwm.exe[1656] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\system32\Dwm.exe[1656] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\system32\Dwm.exe[1656] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\system32\Dwm.exe[1656] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\system32\Dwm.exe[1656] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\Dwm.exe[1656] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [6E, 71] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtCreateFile + 6 76F55196 4 Bytes [28, B0, 78, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtCreateFile + B 76F5519B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtMapViewOfSection + 6 76F557F6 4 Bytes [28, B3, 78, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtMapViewOfSection + B 76F557FB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtOpenFile + 6 76F558A6 4 Bytes [68, B0, 78, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtOpenFile + B 76F558AB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtOpenProcess + 6 76F55956 4 Bytes [A8, B1, 78, 00] {TEST AL, 0xb1; JS 0x4} .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtOpenProcess + B 76F5595B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtOpenProcessToken + 6 76F55966 4 Bytes CALL 75F5D21C C:\Windows\system32\USER32.dll .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtOpenProcessToken + B 76F5596B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtOpenProcessTokenEx + 6 76F55976 4 Bytes [A8, B2, 78, 00] {TEST AL, 0xb2; JS 0x4} .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtOpenProcessTokenEx + B 76F5597B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtOpenThread + 6 76F559D6 4 Bytes [68, B1, 78, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtOpenThread + B 76F559DB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtOpenThreadToken + 6 76F559E6 4 Bytes [68, B2, 78, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtOpenThreadToken + B 76F559EB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtOpenThreadTokenEx + 6 76F559F6 4 Bytes CALL 75F5D2AD C:\Windows\system32\USER32.dll .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtOpenThreadTokenEx + B 76F559FB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtQueryAttributesFile + 6 76F55B06 4 Bytes [A8, B0, 78, 00] {TEST AL, 0xb0; JS 0x4} .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtQueryAttributesFile + B 76F55B0B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtQueryFullAttributesFile + 6 76F55BB6 4 Bytes CALL 75F5D46B C:\Windows\system32\USER32.dll .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtQueryFullAttributesFile + B 76F55BBB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtSetInformationFile + 6 76F56206 4 Bytes [28, B1, 78, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtSetInformationFile + B 76F5620B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtSetInformationThread + 6 76F56266 4 Bytes [28, B2, 78, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtSetInformationThread + B 76F5626B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtUnmapViewOfSection + 6 76F56586 4 Bytes [68, B3, 78, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!NtUnmapViewOfSection + B 76F5658B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7175000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7172000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 7178000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 717B000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 717E000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[1808] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\taskhost.exe[1812] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1812] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\taskhost.exe[1812] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1812] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\taskhost.exe[1812] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskhost.exe[1812] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\system32\taskhost.exe[1812] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\system32\taskhost.exe[1812] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1812] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\taskhost.exe[1812] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\system32\taskhost.exe[1812] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\system32\taskhost.exe[1812] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\system32\taskhost.exe[1812] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\taskhost.exe[1812] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\taskhost.exe[1812] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\system32\taskhost.exe[1812] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\system32\taskhost.exe[1812] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\system32\taskhost.exe[1812] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\system32\taskhost.exe[1812] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\system32\taskhost.exe[1812] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\taskhost.exe[1812] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 716F000A .text C:\Windows\system32\taskhost.exe[1812] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 7172000A .text C:\Windows\system32\taskeng.exe[1924] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1924] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\taskeng.exe[1924] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1924] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\taskeng.exe[1924] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskeng.exe[1924] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\system32\taskeng.exe[1924] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\system32\taskeng.exe[1924] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1924] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\taskeng.exe[1924] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\system32\taskeng.exe[1924] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\system32\taskeng.exe[1924] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\system32\taskeng.exe[1924] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\system32\taskeng.exe[1924] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\system32\taskeng.exe[1924] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\taskeng.exe[1924] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\taskeng.exe[1924] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\system32\taskeng.exe[1924] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\system32\taskeng.exe[1924] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\system32\taskeng.exe[1924] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [6E, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7175000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7172000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 7178000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2036] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [6E, 71] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtCreateFile + 6 76F55196 4 Bytes [28, 74, DF, 00] {SUB [EDI+EBX*8+0x0], DH} .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtCreateFile + B 76F5519B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtMapViewOfSection + 6 76F557F6 4 Bytes [28, 77, DF, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtMapViewOfSection + B 76F557FB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtOpenFile + 6 76F558A6 4 Bytes [68, 74, DF, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtOpenFile + B 76F558AB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtOpenProcess + 6 76F55956 4 Bytes [A8, 75, DF, 00] {TEST AL, 0x75; FILD WORD [EAX]} .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtOpenProcess + B 76F5595B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtOpenProcessToken + 6 76F55966 4 Bytes CALL 75F638E0 C:\Windows\system32\USER32.dll .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtOpenProcessToken + B 76F5596B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtOpenProcessTokenEx + 6 76F55976 4 Bytes [A8, 76, DF, 00] {TEST AL, 0x76; FILD WORD [EAX]} .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtOpenProcessTokenEx + B 76F5597B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtOpenThread + 6 76F559D6 4 Bytes [68, 75, DF, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtOpenThread + B 76F559DB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtOpenThreadToken + 6 76F559E6 4 Bytes [68, 76, DF, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtOpenThreadToken + B 76F559EB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtOpenThreadTokenEx + 6 76F559F6 4 Bytes CALL 75F63971 C:\Windows\system32\USER32.dll .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtOpenThreadTokenEx + B 76F559FB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtQueryAttributesFile + 6 76F55B06 4 Bytes [A8, 74, DF, 00] {TEST AL, 0x74; FILD WORD [EAX]} .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtQueryAttributesFile + B 76F55B0B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtQueryFullAttributesFile + 6 76F55BB6 4 Bytes CALL 75F63B2F C:\Windows\system32\USER32.dll .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtQueryFullAttributesFile + B 76F55BBB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtSetInformationFile + 6 76F56206 4 Bytes [28, 75, DF, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtSetInformationFile + B 76F5620B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtSetInformationThread + 6 76F56266 4 Bytes [28, 76, DF, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtSetInformationThread + B 76F5626B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtUnmapViewOfSection + 6 76F56586 4 Bytes [68, 77, DF, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!NtUnmapViewOfSection + B 76F5658B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7175000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7172000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 7178000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 717B000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 717E000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[2364] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [6E, 71] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7175000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7172000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 7178000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 717B000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 717E000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe[2448] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\System32\igfxtray.exe[2464] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[2464] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [6E, 71] .text C:\Windows\System32\igfxtray.exe[2464] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[2464] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\System32\igfxtray.exe[2464] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\System32\igfxtray.exe[2464] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\System32\igfxtray.exe[2464] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\System32\igfxtray.exe[2464] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[2464] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\System32\igfxtray.exe[2464] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\System32\igfxtray.exe[2464] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\System32\igfxtray.exe[2464] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\System32\igfxtray.exe[2464] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7175000A .text C:\Windows\System32\igfxtray.exe[2464] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7172000A .text C:\Windows\System32\igfxtray.exe[2464] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 7178000A .text C:\Windows\System32\igfxtray.exe[2464] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\System32\igfxtray.exe[2464] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\System32\igfxtray.exe[2464] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\System32\igfxtray.exe[2464] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\System32\igfxtray.exe[2464] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\System32\igfxtray.exe[2464] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 717B000A .text C:\Windows\System32\igfxtray.exe[2464] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 717E000A .text C:\Windows\System32\hkcmd.exe[2472] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[2472] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [6E, 71] .text C:\Windows\System32\hkcmd.exe[2472] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[2472] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\System32\hkcmd.exe[2472] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\System32\hkcmd.exe[2472] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\System32\hkcmd.exe[2472] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\System32\hkcmd.exe[2472] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[2472] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\System32\hkcmd.exe[2472] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\System32\hkcmd.exe[2472] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\System32\hkcmd.exe[2472] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\System32\hkcmd.exe[2472] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7175000A .text C:\Windows\System32\hkcmd.exe[2472] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7172000A .text C:\Windows\System32\hkcmd.exe[2472] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 7178000A .text C:\Windows\System32\hkcmd.exe[2472] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\System32\hkcmd.exe[2472] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\System32\hkcmd.exe[2472] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\System32\hkcmd.exe[2472] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\System32\hkcmd.exe[2472] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\System32\hkcmd.exe[2472] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 717B000A .text C:\Windows\System32\hkcmd.exe[2472] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 717E000A .text C:\Windows\System32\igfxpers.exe[2516] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[2516] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [6E, 71] .text C:\Windows\System32\igfxpers.exe[2516] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[2516] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\System32\igfxpers.exe[2516] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\System32\igfxpers.exe[2516] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\System32\igfxpers.exe[2516] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\System32\igfxpers.exe[2516] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[2516] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\System32\igfxpers.exe[2516] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\System32\igfxpers.exe[2516] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\System32\igfxpers.exe[2516] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\System32\igfxpers.exe[2516] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\System32\igfxpers.exe[2516] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\System32\igfxpers.exe[2516] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\System32\igfxpers.exe[2516] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\System32\igfxpers.exe[2516] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7175000A .text C:\Windows\System32\igfxpers.exe[2516] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7172000A .text C:\Windows\System32\igfxpers.exe[2516] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 7178000A .text C:\Windows\System32\igfxpers.exe[2516] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\System32\igfxpers.exe[2516] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 717B000A .text C:\Windows\System32\igfxpers.exe[2516] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtAlpcConnectPort 76F54ED0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtAlpcConnectPort + 4 76F54ED4 2 Bytes [65, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtAlpcCreatePort 76F54EE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtAlpcCreatePort + 4 76F54EE4 2 Bytes [68, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [62, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtClose + 4 76F55094 2 Bytes [1D, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtConnectPort 76F55120 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtConnectPort + 4 76F55124 2 Bytes [3B, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreateEvent 76F55170 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreateEvent + 4 76F55174 2 Bytes [53, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreateEventPair 76F55180 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreateEventPair + 4 76F55184 2 Bytes [4D, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreateFile 76F55190 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreateFile + 4 76F55194 2 Bytes [2C, 71] {SUB AL, 0x71} .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreateMutant 76F55210 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreateMutant + 4 76F55214 2 Bytes [59, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreateNamedPipeFile 76F55220 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreateNamedPipeFile + 4 76F55224 2 Bytes [2F, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreatePort 76F55240 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreatePort + 4 76F55244 2 Bytes [41, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreateSection 76F552B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreateSection + 4 76F552B4 2 Bytes [35, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreateSemaphore 76F552C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreateSemaphore + 4 76F552C4 2 Bytes [47, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreateWaitablePort 76F55350 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtCreateWaitablePort + 4 76F55354 2 Bytes [38, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtFsControlFile 76F555D0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtFsControlFile + 4 76F555D4 2 Bytes [23, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtOpenEvent 76F55880 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtOpenEvent + 4 76F55884 2 Bytes [50, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtOpenEventPair 76F55890 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtOpenEventPair + 4 76F55894 2 Bytes [4A, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtOpenFile 76F558A0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtOpenFile + 4 76F558A4 2 Bytes [29, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtOpenMutant 76F55920 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtOpenMutant + 4 76F55924 2 Bytes [56, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtOpenSection 76F55990 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtOpenSection + 4 76F55994 2 Bytes [32, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtOpenSemaphore 76F559A0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtOpenSemaphore + 4 76F559A4 2 Bytes [44, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtQueryVirtualMemory 76F55E20 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtQueryVirtualMemory + 4 76F55E24 2 Bytes [26, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtReplyPort 76F55FD0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtReplyPort + 4 76F55FD4 2 Bytes [5C, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtRequestWaitReplyPort 76F56020 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtRequestWaitReplyPort + 4 76F56024 2 Bytes [5F, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtSecureConnectPort 76F560F0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtSecureConnectPort + 4 76F560F4 2 Bytes [3E, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtSetSystemTime 76F56370 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!NtSetSystemTime + 4 76F56374 2 Bytes [20, 71] .text C:\Windows\system32\svchost.exe[2564] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 711B000A .text C:\Windows\system32\svchost.exe[2564] kernel32.dll!GetPrivateProfileStringW 76E681DB 6 Bytes JMP 71AB000A .text C:\Windows\system32\svchost.exe[2564] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7096000A .text C:\Windows\system32\svchost.exe[2564] kernel32.dll!GetPrivateProfileStringA 76E6E0E9 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[2564] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 709F000A .text C:\Windows\system32\svchost.exe[2564] kernel32.dll!RegOpenKeyExW 76E7D191 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[2564] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [B6, 70] {MOV DH, 0x70} .text C:\Windows\system32\svchost.exe[2564] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 70A2000A .text C:\Windows\system32\svchost.exe[2564] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 709C000A .text C:\Windows\system32\svchost.exe[2564] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7099000A .text C:\Windows\system32\svchost.exe[2564] RPCRT4.dll!RpcServerRegisterIfEx 753A0818 6 Bytes JMP 70B1000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!RegisterClassExA 75EE629B 6 Bytes JMP 7109000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!FindWindowExA 75EE6F71 6 Bytes JMP 70D3000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!GetClassInfoExA 75EE6FE1 6 Bytes JMP 70FD000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!GetClassInfoA 75EE714C 6 Bytes JMP 70F7000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!UnregisterClassA 75EE8D30 6 Bytes JMP 7103000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!FindWindowA 75EE8FB9 6 Bytes JMP 70CD000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!SetLayeredWindowAttributes 75EEA6A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] USER32.dll!SetLayeredWindowAttributes + 4 75EEA6A8 2 Bytes [92, 70] .text C:\Windows\system32\svchost.exe[2564] USER32.dll!FindWindowW 75EEADD5 6 Bytes JMP 70D0000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!EnumDesktopWindows 75EEB48F 6 Bytes JMP 70C1000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!EnumThreadWindows 75EEB6DA 6 Bytes JMP 70C7000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!UnregisterClassW 75EEB976 6 Bytes JMP 7106000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!RegisterClassA 75EEBC32 6 Bytes JMP 710F000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!CreateWindowExA 75EEBF08 6 Bytes JMP 70EB000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 707B000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!CreateWindowExW 75EEEC44 6 Bytes JMP 70EE000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!RegisterClassW 75EEED12 6 Bytes JMP 7112000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!RegisterClassExW 75EF012A 6 Bytes JMP 710C000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!GetClassInfoExW 75EF0926 6 Bytes JMP 7100000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!GetClassInfoW 75EF0A8F 6 Bytes JMP 70FA000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7078000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!EnumChildWindows 75EF2918 6 Bytes JMP 70C4000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!GetClassNameW 75EF29F9 6 Bytes JMP 70F4000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!GetShellWindow 75EF2F9B 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2564] USER32.dll!GetShellWindow + 4 75EF2F9F 2 Bytes [A4, 71] .text C:\Windows\system32\svchost.exe[2564] USER32.dll!EnumWindows 75EF372B 6 Bytes JMP 70CA000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!CreateDialogParamA 75F01F12 6 Bytes JMP 70E2000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!DialogBoxParamW 75F03B6B 6 Bytes JMP 70DF000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!CreateDialogIndirectParamA 75F071ED 6 Bytes JMP 708B000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!CreateDialogIndirectParamW 75F0E9E0 6 Bytes JMP 708E000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!GetClassNameA 75F12415 6 Bytes JMP 70F1000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!DialogBoxIndirectParamAorW 75F13B10 6 Bytes JMP 70D9000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!DialogBoxIndirectParamW 75F13B4F 6 Bytes JMP 7086000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!CreateDialogIndirectParamAorW 75F152F7 6 Bytes JMP 70E8000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!CreateDialogParamW 75F15600 6 Bytes JMP 70E5000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 707E000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!FindWindowExW 75F170FB 6 Bytes JMP 70D6000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!DialogBoxParamA 75F2CFC8 6 Bytes JMP 70DC000A .text C:\Windows\system32\svchost.exe[2564] USER32.dll!DialogBoxIndirectParamA 75F2D2FA 6 Bytes JMP 7083000A .text C:\Windows\system32\svchost.exe[2564] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 70A5000A .text C:\Windows\system32\svchost.exe[2564] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 70AE000A .text C:\Windows\system32\svchost.exe[2564] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 70AB000A .text C:\Windows\system32\svchost.exe[2564] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 70A8000A .text C:\Windows\system32\svchost.exe[2564] ADVAPI32.dll!StartServiceCtrlDispatcherW 75ABA8E5 6 Bytes JMP 71A2000A .text C:\Windows\system32\svchost.exe[2564] ADVAPI32.dll!RegisterServiceCtrlHandlerW 75ABA8FD 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[2564] ADVAPI32.dll!RegisterServiceCtrlHandlerExW 75ABA92D 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[2564] ADVAPI32.dll!SetServiceStatus 75ABC726 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[2564] ADVAPI32.dll!RegisterServiceCtrlHandlerA 75AF377F 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[2564] ADVAPI32.dll!RegisterServiceCtrlHandlerExA 75AF378F 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[2564] ADVAPI32.dll!StartServiceCtrlDispatcherA 75AF380F 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[2564] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 70B4000A .text C:\Windows\system32\igfxsrvc.exe[2616] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\igfxsrvc.exe[2616] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\igfxsrvc.exe[2616] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\igfxsrvc.exe[2616] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\igfxsrvc.exe[2616] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\igfxsrvc.exe[2616] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\system32\igfxsrvc.exe[2616] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\system32\igfxsrvc.exe[2616] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\igfxsrvc.exe[2616] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\igfxsrvc.exe[2616] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\system32\igfxsrvc.exe[2616] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\system32\igfxsrvc.exe[2616] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\system32\igfxsrvc.exe[2616] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\system32\igfxsrvc.exe[2616] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\system32\igfxsrvc.exe[2616] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\igfxsrvc.exe[2616] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\igfxsrvc.exe[2616] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\system32\igfxsrvc.exe[2616] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\system32\igfxsrvc.exe[2616] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\system32\igfxsrvc.exe[2616] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [6E, 71] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7175000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7172000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 7178000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 717B000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 717E000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe[2672] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\taskeng.exe[2700] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2700] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\taskeng.exe[2700] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2700] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\taskeng.exe[2700] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskeng.exe[2700] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\system32\taskeng.exe[2700] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\system32\taskeng.exe[2700] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2700] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\taskeng.exe[2700] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\system32\taskeng.exe[2700] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\system32\taskeng.exe[2700] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\system32\taskeng.exe[2700] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\system32\taskeng.exe[2700] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\system32\taskeng.exe[2700] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\taskeng.exe[2700] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\taskeng.exe[2700] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\system32\taskeng.exe[2700] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\system32\taskeng.exe[2700] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\system32\taskeng.exe[2700] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Program Files\CCleaner\CCleaner.exe[2792] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Program Files\CCleaner\CCleaner.exe[2792] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [6E, 71] .text C:\Program Files\CCleaner\CCleaner.exe[2792] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Program Files\CCleaner\CCleaner.exe[2792] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Program Files\CCleaner\CCleaner.exe[2792] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Program Files\CCleaner\CCleaner.exe[2792] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Program Files\CCleaner\CCleaner.exe[2792] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Program Files\CCleaner\CCleaner.exe[2792] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Program Files\CCleaner\CCleaner.exe[2792] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Program Files\CCleaner\CCleaner.exe[2792] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Program Files\CCleaner\CCleaner.exe[2792] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Program Files\CCleaner\CCleaner.exe[2792] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Program Files\CCleaner\CCleaner.exe[2792] USER32.dll!SetScrollRange 75EE8E8B 5 Bytes JMP 0032B938 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2792] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7175000A .text C:\Program Files\CCleaner\CCleaner.exe[2792] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7172000A .text C:\Program Files\CCleaner\CCleaner.exe[2792] USER32.dll!GetScrollInfo 75EF2D73 5 Bytes JMP 0032B8BF C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2792] USER32.dll!SetScrollInfo 75EF48AA 5 Bytes JMP 0032B975 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2792] USER32.dll!GetScrollRange 75F1042A 5 Bytes JMP 0032B856 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2792] USER32.dll!SetScrollPos 75F1048E 5 Bytes JMP 0032B82B C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2792] USER32.dll!GetScrollPos 75F10E13 5 Bytes JMP 0032B894 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2792] USER32.dll!EnableScrollBar 75F1199E 5 Bytes JMP 0032B9AF C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2792] USER32.dll!ShowScrollBar 75F13C59 5 Bytes JMP 0032B8F8 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2792] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 7178000A .text C:\Program Files\CCleaner\CCleaner.exe[2792] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Program Files\CCleaner\CCleaner.exe[2792] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Program Files\CCleaner\CCleaner.exe[2792] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Program Files\CCleaner\CCleaner.exe[2792] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Program Files\CCleaner\CCleaner.exe[2792] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 717B000A .text C:\Program Files\CCleaner\CCleaner.exe[2792] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 717E000A .text C:\Program Files\CCleaner\CCleaner.exe[2792] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [6E, 71] .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7175000A .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7172000A .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 7178000A .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 717B000A .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 717E000A .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2932] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [6E, 71] .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7175000A .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7172000A .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 7178000A .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 717B000A .text C:\Program Files\Opera\44.0.2510.857\opera_crashreporter.exe[2952] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 717E000A .text C:\Windows\system32\wbem\wmiprvse.exe[2964] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\wmiprvse.exe[2964] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\wbem\wmiprvse.exe[2964] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\wmiprvse.exe[2964] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\wbem\wmiprvse.exe[2964] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\wbem\wmiprvse.exe[2964] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\system32\wbem\wmiprvse.exe[2964] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\system32\wbem\wmiprvse.exe[2964] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\wmiprvse.exe[2964] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\wbem\wmiprvse.exe[2964] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\system32\wbem\wmiprvse.exe[2964] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\system32\wbem\wmiprvse.exe[2964] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\system32\wbem\wmiprvse.exe[2964] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\system32\wbem\wmiprvse.exe[2964] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\system32\wbem\wmiprvse.exe[2964] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\wbem\wmiprvse.exe[2964] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\wbem\wmiprvse.exe[2964] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\system32\wbem\wmiprvse.exe[2964] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\system32\wbem\wmiprvse.exe[2964] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\system32\wbem\wmiprvse.exe[2964] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3076] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchIndexer.exe[3144] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[3144] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\SearchIndexer.exe[3144] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[3144] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\SearchIndexer.exe[3144] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchIndexer.exe[3144] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\system32\SearchIndexer.exe[3144] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\system32\SearchIndexer.exe[3144] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[3144] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\SearchIndexer.exe[3144] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\system32\SearchIndexer.exe[3144] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\system32\SearchIndexer.exe[3144] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\system32\SearchIndexer.exe[3144] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\system32\SearchIndexer.exe[3144] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\system32\SearchIndexer.exe[3144] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchIndexer.exe[3144] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\SearchIndexer.exe[3144] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\system32\SearchIndexer.exe[3144] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchIndexer.exe[3144] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchIndexer.exe[3144] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchIndexer.exe[3144] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 716F000A .text C:\Windows\system32\SearchIndexer.exe[3144] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 7172000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 716F000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3240] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 7172000A .text C:\Windows\system32\svchost.exe[3424] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3424] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\svchost.exe[3424] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3424] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[3424] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[3424] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[3424] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[3424] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3424] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[3424] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[3424] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[3424] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[3424] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[3424] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[3424] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[3424] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[3424] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[3424] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[3424] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[3424] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3636] ntdll.dll!NtAllocateVirtualMemory 76F54EA0 5 Bytes JMP 00951A90 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [6E, 71] .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7175000A .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7172000A .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 7178000A .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 717B000A .text C:\Program Files\FastStone Capture\FSCapture.exe[3644] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 717E000A .text C:\Windows\system32\AUDIODG.EXE[3660] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[3660] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\AUDIODG.EXE[3660] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[3660] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Windows\system32\AUDIODG.EXE[3660] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A7001E .text C:\Windows\system32\AUDIODG.EXE[3660] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7180001E .text C:\Windows\system32\AUDIODG.EXE[3660] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 7189001E .text C:\Windows\system32\AUDIODG.EXE[3660] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[3660] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Windows\system32\AUDIODG.EXE[3660] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718C001E .text C:\Windows\system32\AUDIODG.EXE[3660] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7186001E .text C:\Windows\system32\AUDIODG.EXE[3660] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7183001E .text C:\Windows\system32\AUDIODG.EXE[3660] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717A001E .text C:\Windows\system32\AUDIODG.EXE[3660] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7177001E .text C:\Windows\system32\AUDIODG.EXE[3660] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717D001E .text C:\Windows\system32\AUDIODG.EXE[3660] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 718F001E .text C:\Windows\system32\AUDIODG.EXE[3660] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7198001E .text C:\Windows\system32\AUDIODG.EXE[3660] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7195001E .text C:\Windows\system32\AUDIODG.EXE[3660] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7192001E .text C:\Windows\system32\AUDIODG.EXE[3660] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719B001E .text C:\Users\User\Desktop\ct4hn72d.exe[3744] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Users\User\Desktop\ct4hn72d.exe[3744] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [74, 71] {JZ 0x73} .text C:\Users\User\Desktop\ct4hn72d.exe[3744] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Users\User\Desktop\ct4hn72d.exe[3744] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Users\User\Desktop\ct4hn72d.exe[3744] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Users\User\Desktop\ct4hn72d.exe[3744] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Users\User\Desktop\ct4hn72d.exe[3744] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Users\User\Desktop\ct4hn72d.exe[3744] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Users\User\Desktop\ct4hn72d.exe[3744] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Users\User\Desktop\ct4hn72d.exe[3744] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Users\User\Desktop\ct4hn72d.exe[3744] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Users\User\Desktop\ct4hn72d.exe[3744] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Users\User\Desktop\ct4hn72d.exe[3744] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 717B000A .text C:\Users\User\Desktop\ct4hn72d.exe[3744] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7178000A .text C:\Users\User\Desktop\ct4hn72d.exe[3744] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 717E000A .text C:\Users\User\Desktop\ct4hn72d.exe[3744] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Users\User\Desktop\ct4hn72d.exe[3744] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Users\User\Desktop\ct4hn72d.exe[3744] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Users\User\Desktop\ct4hn72d.exe[3744] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Users\User\Desktop\ct4hn72d.exe[3744] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtAlpcConnectPort 76F54ED0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtAlpcConnectPort + 4 76F54ED4 2 Bytes [65, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtAlpcCreatePort 76F54EE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtAlpcCreatePort + 4 76F54EE4 2 Bytes [68, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [62, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtClose + 4 76F55094 2 Bytes [1D, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtConnectPort 76F55120 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtConnectPort + 4 76F55124 2 Bytes [3B, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreateEvent 76F55170 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreateEvent + 4 76F55174 2 Bytes [53, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreateEventPair 76F55180 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreateEventPair + 4 76F55184 2 Bytes [4D, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreateFile 76F55190 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreateFile + 4 76F55194 2 Bytes [2C, 71] {SUB AL, 0x71} .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreateMutant 76F55210 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreateMutant + 4 76F55214 2 Bytes [59, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreateNamedPipeFile 76F55220 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreateNamedPipeFile + 4 76F55224 2 Bytes [2F, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreatePort 76F55240 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreatePort + 4 76F55244 2 Bytes [41, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreateSection 76F552B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreateSection + 4 76F552B4 2 Bytes [35, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreateSemaphore 76F552C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreateSemaphore + 4 76F552C4 2 Bytes [47, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreateWaitablePort 76F55350 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtCreateWaitablePort + 4 76F55354 2 Bytes [38, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtFsControlFile 76F555D0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtFsControlFile + 4 76F555D4 2 Bytes [23, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtOpenEvent 76F55880 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtOpenEvent + 4 76F55884 2 Bytes [50, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtOpenEventPair 76F55890 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtOpenEventPair + 4 76F55894 2 Bytes [4A, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtOpenFile 76F558A0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtOpenFile + 4 76F558A4 2 Bytes [29, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtOpenMutant 76F55920 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtOpenMutant + 4 76F55924 2 Bytes [56, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtOpenSection 76F55990 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtOpenSection + 4 76F55994 2 Bytes [32, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtOpenSemaphore 76F559A0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtOpenSemaphore + 4 76F559A4 2 Bytes [44, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtQueryVirtualMemory 76F55E20 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtQueryVirtualMemory + 4 76F55E24 2 Bytes [26, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtReplyPort 76F55FD0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtReplyPort + 4 76F55FD4 2 Bytes [5C, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtRequestWaitReplyPort 76F56020 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtRequestWaitReplyPort + 4 76F56024 2 Bytes [5F, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtSecureConnectPort 76F560F0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtSecureConnectPort + 4 76F560F4 2 Bytes [3E, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtSetSystemTime 76F56370 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!NtSetSystemTime + 4 76F56374 2 Bytes [20, 71] .text C:\Windows\system32\svchost.exe[3876] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 711B000A .text C:\Windows\system32\svchost.exe[3876] kernel32.dll!GetPrivateProfileStringW 76E681DB 6 Bytes JMP 71AB000A .text C:\Windows\system32\svchost.exe[3876] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7096000A .text C:\Windows\system32\svchost.exe[3876] kernel32.dll!GetPrivateProfileStringA 76E6E0E9 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[3876] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 709F000A .text C:\Windows\system32\svchost.exe[3876] kernel32.dll!RegOpenKeyExW 76E7D191 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[3876] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [B6, 70] {MOV DH, 0x70} .text C:\Windows\system32\svchost.exe[3876] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 70A2000A .text C:\Windows\system32\svchost.exe[3876] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 709C000A .text C:\Windows\system32\svchost.exe[3876] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7099000A .text C:\Windows\system32\svchost.exe[3876] RPCRT4.dll!RpcServerRegisterIfEx 753A0818 6 Bytes JMP 70B1000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!RegisterClassExA 75EE629B 6 Bytes JMP 7109000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!FindWindowExA 75EE6F71 6 Bytes JMP 70D3000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!GetClassInfoExA 75EE6FE1 6 Bytes JMP 70FD000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!GetClassInfoA 75EE714C 6 Bytes JMP 70F7000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!UnregisterClassA 75EE8D30 6 Bytes JMP 7103000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!FindWindowA 75EE8FB9 6 Bytes JMP 70CD000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!SetLayeredWindowAttributes 75EEA6A4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] USER32.dll!SetLayeredWindowAttributes + 4 75EEA6A8 2 Bytes [92, 70] .text C:\Windows\system32\svchost.exe[3876] USER32.dll!FindWindowW 75EEADD5 6 Bytes JMP 70D0000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!EnumDesktopWindows 75EEB48F 6 Bytes JMP 70C1000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!EnumThreadWindows 75EEB6DA 6 Bytes JMP 70C7000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!UnregisterClassW 75EEB976 6 Bytes JMP 7106000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!RegisterClassA 75EEBC32 6 Bytes JMP 710F000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!CreateWindowExA 75EEBF08 6 Bytes JMP 70EB000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 707B000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!CreateWindowExW 75EEEC44 6 Bytes JMP 70EE000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!RegisterClassW 75EEED12 6 Bytes JMP 7112000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!RegisterClassExW 75EF012A 6 Bytes JMP 710C000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!GetClassInfoExW 75EF0926 6 Bytes JMP 7100000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!GetClassInfoW 75EF0A8F 6 Bytes JMP 70FA000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7078000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!EnumChildWindows 75EF2918 6 Bytes JMP 70C4000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!GetClassNameW 75EF29F9 6 Bytes JMP 70F4000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!GetShellWindow 75EF2F9B 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3876] USER32.dll!GetShellWindow + 4 75EF2F9F 2 Bytes [A4, 71] .text C:\Windows\system32\svchost.exe[3876] USER32.dll!EnumWindows 75EF372B 6 Bytes JMP 70CA000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!CreateDialogParamA 75F01F12 6 Bytes JMP 70E2000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!DialogBoxParamW 75F03B6B 6 Bytes JMP 70DF000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!CreateDialogIndirectParamA 75F071ED 6 Bytes JMP 708B000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!CreateDialogIndirectParamW 75F0E9E0 6 Bytes JMP 708E000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!GetClassNameA 75F12415 6 Bytes JMP 70F1000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!DialogBoxIndirectParamAorW 75F13B10 6 Bytes JMP 70D9000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!DialogBoxIndirectParamW 75F13B4F 6 Bytes JMP 7086000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!CreateDialogIndirectParamAorW 75F152F7 6 Bytes JMP 70E8000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!CreateDialogParamW 75F15600 6 Bytes JMP 70E5000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 707E000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!FindWindowExW 75F170FB 6 Bytes JMP 70D6000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!DialogBoxParamA 75F2CFC8 6 Bytes JMP 70DC000A .text C:\Windows\system32\svchost.exe[3876] USER32.dll!DialogBoxIndirectParamA 75F2D2FA 6 Bytes JMP 7083000A .text C:\Windows\system32\svchost.exe[3876] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 70A5000A .text C:\Windows\system32\svchost.exe[3876] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 70AE000A .text C:\Windows\system32\svchost.exe[3876] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 70AB000A .text C:\Windows\system32\svchost.exe[3876] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 70A8000A .text C:\Windows\system32\svchost.exe[3876] ADVAPI32.dll!StartServiceCtrlDispatcherW 75ABA8E5 6 Bytes JMP 71A2000A .text C:\Windows\system32\svchost.exe[3876] ADVAPI32.dll!RegisterServiceCtrlHandlerW 75ABA8FD 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[3876] ADVAPI32.dll!RegisterServiceCtrlHandlerExW 75ABA92D 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[3876] ADVAPI32.dll!SetServiceStatus 75ABC726 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[3876] ADVAPI32.dll!RegisterServiceCtrlHandlerA 75AF377F 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[3876] ADVAPI32.dll!RegisterServiceCtrlHandlerExA 75AF378F 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[3876] ADVAPI32.dll!StartServiceCtrlDispatcherA 75AF380F 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[3876] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 70B4000A .text C:\Windows\system32\svchost.exe[3876] rpcss.dll!CoGetComCatalog 742B35EC 3 Bytes [70, 92, C4] .text C:\Windows\system32\svchost.exe[3876] rpcss.dll!CoGetComCatalog 742B35F0 3 Bytes [30, 90, C4] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtAlpcSendWaitReceivePort 76F54FE0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76F54FE4 2 Bytes [6E, 71] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtClose 76F55090 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtClose + 4 76F55094 2 Bytes [AE, 71] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtCreateFile + 6 76F55196 4 Bytes [28, 1C, 63, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtCreateFile + B 76F5519B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtMapViewOfSection + 6 76F557F6 4 Bytes [28, 1F, 63, 00] {SUB [EDI], BL; ARPL [EAX], AX} .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtMapViewOfSection + B 76F557FB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtOpenFile + 6 76F558A6 4 Bytes [68, 1C, 63, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtOpenFile + B 76F558AB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtOpenProcess + 6 76F55956 4 Bytes [A8, 1D, 63, 00] {TEST AL, 0x1d; ARPL [EAX], AX} .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtOpenProcess + B 76F5595B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtOpenProcessToken + 6 76F55966 4 Bytes CALL 75F5BC88 C:\Windows\system32\USER32.dll .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtOpenProcessToken + B 76F5596B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtOpenProcessTokenEx + 6 76F55976 4 Bytes [A8, 1E, 63, 00] {TEST AL, 0x1e; ARPL [EAX], AX} .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtOpenProcessTokenEx + B 76F5597B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtOpenThread + 6 76F559D6 4 Bytes [68, 1D, 63, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtOpenThread + B 76F559DB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtOpenThreadToken + 6 76F559E6 4 Bytes [68, 1E, 63, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtOpenThreadToken + B 76F559EB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtOpenThreadTokenEx + 6 76F559F6 4 Bytes CALL 75F5BD19 C:\Windows\system32\USER32.dll .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtOpenThreadTokenEx + B 76F559FB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtQueryAttributesFile + 6 76F55B06 4 Bytes [A8, 1C, 63, 00] {TEST AL, 0x1c; ARPL [EAX], AX} .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtQueryAttributesFile + B 76F55B0B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtQueryFullAttributesFile + 6 76F55BB6 4 Bytes CALL 75F5BED7 C:\Windows\system32\USER32.dll .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtQueryFullAttributesFile + B 76F55BBB 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtSetInformationFile + 6 76F56206 4 Bytes [28, 1D, 63, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtSetInformationFile + B 76F5620B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtSetInformationThread + 6 76F56266 4 Bytes [28, 1E, 63, 00] {SUB [ESI], BL; ARPL [EAX], AX} .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtSetInformationThread + B 76F5626B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtUnmapViewOfSection + 6 76F56586 4 Bytes [68, 1F, 63, 00] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!NtUnmapViewOfSection + B 76F5658B 1 Byte [E2] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ntdll.dll!LdrUnloadDll 76F6C746 6 Bytes JMP 71A8000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] kernel32.dll!CopyFileExW 76E6B490 6 Bytes JMP 7181000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] kernel32.dll!MoveFileWithProgressW 76E78FE4 6 Bytes JMP 718A000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] kernel32.dll!CreateProcessInternalW 76E809C2 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] kernel32.dll!CreateProcessInternalW + 4 76E809C6 2 Bytes [9E, 71] .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] kernel32.dll!MoveFileWithProgressA 76E94208 6 Bytes JMP 718D000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] kernel32.dll!MoveFileTransactedA 76EBC506 6 Bytes JMP 7187000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] kernel32.dll!MoveFileTransactedW 76EBC5A9 6 Bytes JMP 7184000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] USER32.dll!SetWindowsHookExW 75EEE2D4 6 Bytes JMP 7175000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] USER32.dll!SetWinEventHook 75EF24AC 6 Bytes JMP 7172000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] USER32.dll!SetWindowsHookExA 75F16CDC 6 Bytes JMP 7178000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] GDI32.dll!DeleteDC 75E96EAA 6 Bytes JMP 7190000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] GDI32.dll!CreateDCA 75E99BCD 6 Bytes JMP 7199000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] GDI32.dll!CreateDCW 75E9C78D 6 Bytes JMP 7196000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] GDI32.dll!GetPixel 75E9CE47 6 Bytes JMP 7193000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] SHELL32.dll!SHFileOperationW 761D9670 6 Bytes JMP 717B000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] SHELL32.dll!SHFileOperation 763DC509 6 Bytes JMP 717E000A .text C:\Program Files\Opera\44.0.2510.857\opera.exe[4060] ole32.dll!CoCreateInstance 75199C3B 6 Bytes JMP 719C000A ---- Devices - GMER 2.2 ---- AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys Device \Driver\BTHUSB \Device\00000080 bthport.sys Device \Driver\BTHUSB \Device\00000082 bthport.sys AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001a6bac7d1a Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001a6bf5e172 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001a6bac7d1a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001a6bf5e172 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@130FE83F 1231 ---- EOF - GMER 2.2 ----