GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-11 18:13:00 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST9120822AS rev.3.ALC 111,79GB Running: rfiiz73m.exe; Driver: C:\Users\Krzysiek\AppData\Local\Temp\kxddrfog.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x8BE3C4CA] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x8BE3C6BE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwConnectPort [0x8BE3B77A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateFile [0x8BE3C0F8] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSection [0x8BE3BE8A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x8BE3D27E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThread [0x8BE3B124] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThreadEx [0x8BE3C908] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwLoadDriver [0x8BE3CC84] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x8BE3BA5E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenFile [0x8BE3C2F0] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenSection [0x8BE3BD12] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0x8BE3CF84] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x8BE3B9C8] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0x8BE3BBFE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateProcess [0x8BE3B55A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateThread [0x8BE3B328] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82A58569 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A7D092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 220 82A84830 4 Bytes [CA, C4, E3, 8B] .text ntkrnlpa.exe!RtlSidHashLookup + 248 82A84858 4 Bytes [BE, C6, E3, 8B] .text ntkrnlpa.exe!RtlSidHashLookup + 2DC 82A848EC 4 Bytes [7A, B7, E3, 8B] {JP 0xffffffb9; JECXZ 0xffffff8f} .text ntkrnlpa.exe!RtlSidHashLookup + 2F8 82A84908 4 Bytes [F8, C0, E3, 8B] {CLC ; SHL BL, 0x8b} .text ntkrnlpa.exe!RtlSidHashLookup + 340 82A84950 4 Bytes [8A, BE, E3, 8B] .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8C617000, 0x23097E, 0xE8000020] ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[384] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 5 Bytes JMP 75201ED0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[384] ntdll.dll!NtReplyWaitReceivePort 770A56C0 5 Bytes JMP 752015D0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[384] ntdll.dll!NtReplyWaitReceivePortEx 770A56D0 5 Bytes JMP 75201A50 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[472] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 5 Bytes JMP 75201ED0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[472] ntdll.dll!NtReplyWaitReceivePort 770A56C0 5 Bytes JMP 752015D0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[472] ntdll.dll!NtReplyWaitReceivePortEx 770A56D0 5 Bytes JMP 75201A50 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\services.exe[568] services.exe 00601608 4 Bytes [80, 36, 01, 10] .text C:\Windows\system32\services.exe[568] services.exe 00601618 4 Bytes [60, 3A, 01, 10] .text C:\Windows\system32\services.exe[568] services.exe 00601638 4 Bytes [E0, 33, 01, 10] {LOOPNZ 0x35; ADD [EAX], EDX} .text C:\Windows\system32\services.exe[568] services.exe 00601648 4 Bytes [80, 38, 01, 10] .text C:\Windows\system32\services.exe[568] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[568] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\services.exe[568] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[568] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\services.exe[568] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\services.exe[568] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\services.exe[568] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\services.exe[568] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\services.exe[568] RPCRT4.dll!RpcServerRegisterIfEx 75C82640 6 Bytes JMP 7190000A .text C:\Windows\system32\services.exe[568] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 717E000A .text C:\Windows\system32\services.exe[568] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717B000A .text C:\Windows\system32\services.exe[568] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7181000A .text C:\Windows\system32\services.exe[568] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7184000A .text C:\Windows\system32\services.exe[568] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 718D000A .text C:\Windows\system32\services.exe[568] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718A000A .text C:\Windows\system32\services.exe[568] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 7187000A .text C:\Windows\system32\services.exe[568] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\services.exe[568] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\lsass.exe[584] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[584] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsass.exe[584] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[584] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\lsass.exe[584] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsass.exe[584] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\lsass.exe[584] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\lsass.exe[584] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\lsass.exe[584] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\system32\lsass.exe[584] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\system32\lsass.exe[584] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\lsass.exe[584] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\system32\lsass.exe[584] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\system32\lsass.exe[584] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\system32\lsass.exe[584] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\system32\lsass.exe[584] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\lsass.exe[584] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsm.exe[592] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\lsm.exe[592] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\lsm.exe[592] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\lsm.exe[592] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\system32\lsm.exe[592] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\system32\lsm.exe[592] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\lsm.exe[592] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\system32\lsm.exe[592] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\system32\lsm.exe[592] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\system32\lsm.exe[592] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\system32\lsm.exe[592] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\lsm.exe[592] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[692] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[692] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[692] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[692] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[692] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[692] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[692] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[692] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[692] RPCRT4.dll!RpcServerRegisterIfEx 75C82640 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[692] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[692] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[692] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[692] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[692] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[692] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[692] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[692] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[692] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[772] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[772] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[772] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[772] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[772] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[772] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[772] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[772] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[772] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[772] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[772] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[772] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[772] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[776] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[776] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[776] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[776] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[776] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[776] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[776] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[776] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[776] RPCRT4.dll!RpcServerRegisterIfEx 75C82640 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[776] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[776] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[776] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[776] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[776] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[776] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[776] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[776] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[776] rpcss.dll!CoGetComCatalog 74733A14 8 Bytes [20, 30, 01, 10, E0, 2D, 01, ...] {AND [EAX], DH; ADD [EAX], EDX; LOOPNZ 0x33; ADD [EAX], EDX} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[860] ntdll.dll!NtAllocateVirtualMemory 770A4580 5 Bytes JMP 013A1EF0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[860] ntdll.dll!NtCreateFile 770A4870 5 Bytes JMP 013E52C0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[912] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[912] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[912] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[912] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[912] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[912] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[912] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[912] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\Ati2evxx.exe[952] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Ati2evxx.exe[952] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\Ati2evxx.exe[952] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Ati2evxx.exe[952] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\Ati2evxx.exe[952] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\Ati2evxx.exe[952] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\Ati2evxx.exe[952] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\Ati2evxx.exe[952] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\Ati2evxx.exe[952] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\system32\Ati2evxx.exe[952] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\system32\Ati2evxx.exe[952] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\Ati2evxx.exe[952] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\system32\Ati2evxx.exe[952] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\system32\Ati2evxx.exe[952] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\system32\Ati2evxx.exe[952] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\system32\Ati2evxx.exe[952] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\Ati2evxx.exe[952] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[972] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[972] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[972] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[972] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[972] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[972] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[972] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[972] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[972] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[972] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[972] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[972] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[972] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1036] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1036] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1036] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1036] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1036] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1036] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1036] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1036] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1036] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1036] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1036] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1036] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1036] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1036] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1036] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1068] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1068] RPCRT4.dll!RpcServerRegisterIfEx 75C82640 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1068] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1068] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1068] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1068] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1068] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1068] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1068] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1068] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\taskhost.exe[1200] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1200] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskhost.exe[1200] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1200] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\taskhost.exe[1200] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskhost.exe[1200] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\taskhost.exe[1200] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\taskhost.exe[1200] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\taskhost.exe[1200] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\system32\taskhost.exe[1200] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\system32\taskhost.exe[1200] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\system32\taskhost.exe[1200] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\system32\taskhost.exe[1200] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\system32\taskhost.exe[1200] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\system32\taskhost.exe[1200] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\taskhost.exe[1200] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\taskhost.exe[1200] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1236] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1236] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1236] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1236] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1236] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1236] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1236] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1236] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1236] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1236] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1236] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1236] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\System32\spoolsv.exe[1444] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1444] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\spoolsv.exe[1444] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1444] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\System32\spoolsv.exe[1444] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\System32\spoolsv.exe[1444] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\System32\spoolsv.exe[1444] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\System32\spoolsv.exe[1444] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\System32\spoolsv.exe[1444] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\System32\spoolsv.exe[1444] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\System32\spoolsv.exe[1444] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\System32\spoolsv.exe[1444] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\System32\spoolsv.exe[1444] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\System32\spoolsv.exe[1444] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\System32\spoolsv.exe[1444] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\System32\spoolsv.exe[1444] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\System32\spoolsv.exe[1444] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1488] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1488] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1488] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1488] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1488] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1488] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1488] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1488] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1488] RPCRT4.dll!RpcServerRegisterIfEx 75C82640 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1488] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1488] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1488] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1488] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1488] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1488] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1488] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1608] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1608] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1608] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1608] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1608] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1608] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1608] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1608] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1608] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1608] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1608] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1608] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1608] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1608] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1608] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1608] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[1608] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1768] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1768] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1768] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1768] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1768] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1768] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1768] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1768] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1768] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1768] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1768] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1768] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1768] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1768] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1768] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1768] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1768] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\sppsvc.exe[1840] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\sppsvc.exe[1840] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\sppsvc.exe[1840] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\sppsvc.exe[1840] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\sppsvc.exe[1840] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\sppsvc.exe[1840] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\sppsvc.exe[1840] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\sppsvc.exe[1840] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\sppsvc.exe[1840] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\sppsvc.exe[1840] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\sppsvc.exe[1840] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\system32\sppsvc.exe[1840] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\system32\sppsvc.exe[1840] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\system32\sppsvc.exe[1840] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\system32\sppsvc.exe[1840] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\system32\sppsvc.exe[1840] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\system32\sppsvc.exe[1840] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[1868] ntdll.dll!NtAllocateVirtualMemory 770A4580 5 Bytes JMP 00B51200 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[1868] ntdll.dll!NtCreateFile 770A4870 5 Bytes JMP 00B51000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1876] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1876] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1876] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1876] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1876] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1876] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1876] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1876] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1876] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1876] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1876] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1876] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1876] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\System32\StkCSrv.exe[1904] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\StkCSrv.exe[1904] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\StkCSrv.exe[1904] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\StkCSrv.exe[1904] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\System32\StkCSrv.exe[1904] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\System32\StkCSrv.exe[1904] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\System32\StkCSrv.exe[1904] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\System32\StkCSrv.exe[1904] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\System32\StkCSrv.exe[1904] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\System32\StkCSrv.exe[1904] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\System32\StkCSrv.exe[1904] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\System32\StkCSrv.exe[1904] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\System32\StkCSrv.exe[1904] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\System32\StkCSrv.exe[1904] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\System32\StkCSrv.exe[1904] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\System32\StkCSrv.exe[1904] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\System32\StkCSrv.exe[1904] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\wbem\wmiprvse.exe[2440] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\wmiprvse.exe[2440] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\wbem\wmiprvse.exe[2440] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\wmiprvse.exe[2440] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\wbem\wmiprvse.exe[2440] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\wbem\wmiprvse.exe[2440] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\wbem\wmiprvse.exe[2440] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\wbem\wmiprvse.exe[2440] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\wbem\wmiprvse.exe[2440] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\wbem\wmiprvse.exe[2440] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\wbem\wmiprvse.exe[2440] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\system32\wbem\wmiprvse.exe[2440] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\system32\wbem\wmiprvse.exe[2440] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\wbem\wmiprvse.exe[2440] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\system32\wbem\wmiprvse.exe[2440] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\system32\wbem\wmiprvse.exe[2440] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\system32\wbem\wmiprvse.exe[2440] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\system32\WUDFHost.exe[2568] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[2568] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\WUDFHost.exe[2568] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[2568] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\WUDFHost.exe[2568] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\WUDFHost.exe[2568] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\WUDFHost.exe[2568] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\WUDFHost.exe[2568] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\WUDFHost.exe[2568] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\WUDFHost.exe[2568] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\WUDFHost.exe[2568] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\system32\WUDFHost.exe[2568] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\system32\WUDFHost.exe[2568] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\WUDFHost.exe[2568] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\system32\WUDFHost.exe[2568] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\system32\WUDFHost.exe[2568] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\system32\WUDFHost.exe[2568] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\system32\wbem\unsecapp.exe[2728] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\unsecapp.exe[2728] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\wbem\unsecapp.exe[2728] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\unsecapp.exe[2728] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\wbem\unsecapp.exe[2728] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\wbem\unsecapp.exe[2728] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\wbem\unsecapp.exe[2728] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\wbem\unsecapp.exe[2728] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\wbem\unsecapp.exe[2728] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\system32\wbem\unsecapp.exe[2728] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\system32\wbem\unsecapp.exe[2728] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\system32\wbem\unsecapp.exe[2728] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\system32\wbem\unsecapp.exe[2728] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\system32\wbem\unsecapp.exe[2728] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\system32\wbem\unsecapp.exe[2728] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\wbem\unsecapp.exe[2728] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\wbem\unsecapp.exe[2728] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Program Files\CCleaner\CCleaner.exe[2752] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Program Files\CCleaner\CCleaner.exe[2752] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\CCleaner\CCleaner.exe[2752] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Program Files\CCleaner\CCleaner.exe[2752] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Program Files\CCleaner\CCleaner.exe[2752] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Program Files\CCleaner\CCleaner.exe[2752] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Program Files\CCleaner\CCleaner.exe[2752] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Program Files\CCleaner\CCleaner.exe[2752] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Program Files\CCleaner\CCleaner.exe[2752] USER32.dll!SetScrollRange 76E5AE3C 5 Bytes JMP 013DA6CF C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2752] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Program Files\CCleaner\CCleaner.exe[2752] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Program Files\CCleaner\CCleaner.exe[2752] USER32.dll!GetScrollInfo 76E65151 5 Bytes JMP 013DA7EE C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2752] USER32.dll!SetScrollInfo 76E66632 5 Bytes JMP 013DA746 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2752] USER32.dll!GetScrollRange 76E81B6C 5 Bytes JMP 013DA780 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2752] USER32.dll!SetScrollPos 76E81BD0 5 Bytes JMP 013DA70C C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2752] USER32.dll!GetScrollPos 76E8252B 5 Bytes JMP 013DA7BA C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2752] USER32.dll!EnableScrollBar 76E8386D 5 Bytes JMP 013DA825 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2752] USER32.dll!ShowScrollBar 76E85785 5 Bytes JMP 013DA698 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2752] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Program Files\CCleaner\CCleaner.exe[2752] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Program Files\CCleaner\CCleaner.exe[2752] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Program Files\CCleaner\CCleaner.exe[2752] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Program Files\CCleaner\CCleaner.exe[2752] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Program Files\CCleaner\CCleaner.exe[2752] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Program Files\CCleaner\CCleaner.exe[2752] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\LogonUI.exe[2828] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\LogonUI.exe[2828] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\LogonUI.exe[2828] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\LogonUI.exe[2828] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\LogonUI.exe[2828] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\LogonUI.exe[2828] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\LogonUI.exe[2828] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\LogonUI.exe[2828] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\LogonUI.exe[2828] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\system32\LogonUI.exe[2828] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\system32\LogonUI.exe[2828] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\system32\LogonUI.exe[2828] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\system32\LogonUI.exe[2828] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\system32\LogonUI.exe[2828] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\system32\LogonUI.exe[2828] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\LogonUI.exe[2828] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\LogonUI.exe[2828] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\Ati2evxx.exe[2864] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Ati2evxx.exe[2864] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\Ati2evxx.exe[2864] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Ati2evxx.exe[2864] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\Ati2evxx.exe[2864] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\Ati2evxx.exe[2864] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\Ati2evxx.exe[2864] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\Ati2evxx.exe[2864] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\Ati2evxx.exe[2864] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\system32\Ati2evxx.exe[2864] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\system32\Ati2evxx.exe[2864] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\Ati2evxx.exe[2864] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\system32\Ati2evxx.exe[2864] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\system32\Ati2evxx.exe[2864] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\system32\Ati2evxx.exe[2864] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\system32\Ati2evxx.exe[2864] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\Ati2evxx.exe[2864] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2988] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2988] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2988] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2988] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2988] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2988] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2988] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2988] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2988] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2988] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2988] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2988] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2988] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2988] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2988] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2988] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2988] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\system32\taskhost.exe[3016] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3016] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskhost.exe[3016] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3016] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\taskhost.exe[3016] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskhost.exe[3016] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\taskhost.exe[3016] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\taskhost.exe[3016] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\taskhost.exe[3016] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\system32\taskhost.exe[3016] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\system32\taskhost.exe[3016] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\system32\taskhost.exe[3016] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\system32\taskhost.exe[3016] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\system32\taskhost.exe[3016] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\system32\taskhost.exe[3016] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\taskhost.exe[3016] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\taskhost.exe[3016] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\Dwm.exe[3168] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3168] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\Dwm.exe[3168] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3168] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\Dwm.exe[3168] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\Dwm.exe[3168] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\Dwm.exe[3168] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\Dwm.exe[3168] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\Dwm.exe[3168] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\system32\Dwm.exe[3168] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\system32\Dwm.exe[3168] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\system32\Dwm.exe[3168] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\system32\Dwm.exe[3168] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\system32\Dwm.exe[3168] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\system32\Dwm.exe[3168] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\Dwm.exe[3168] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\Dwm.exe[3168] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[3200] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[3200] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\Explorer.EXE[3200] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[3200] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\Explorer.EXE[3200] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\Explorer.EXE[3200] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\Explorer.EXE[3200] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\Explorer.EXE[3200] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\Explorer.EXE[3200] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\Explorer.EXE[3200] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[3200] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\Explorer.EXE[3200] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\Explorer.EXE[3200] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\Explorer.EXE[3200] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Windows\Explorer.EXE[3200] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\Explorer.EXE[3200] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\Explorer.EXE[3200] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe[3356] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe[3356] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe[3356] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe[3356] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe[3356] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe[3356] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe[3356] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe[3356] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe[3356] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe[3356] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe[3356] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe[3356] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe[3356] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe[3356] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe[3356] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe[3356] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Program Files\MyDrive Connect\TomTom MyDrive Connect.exe[3356] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Users\Krzysiek\Desktop\rfiiz73m.exe[3368] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Users\Krzysiek\Desktop\rfiiz73m.exe[3368] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Users\Krzysiek\Desktop\rfiiz73m.exe[3368] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Users\Krzysiek\Desktop\rfiiz73m.exe[3368] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Users\Krzysiek\Desktop\rfiiz73m.exe[3368] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Users\Krzysiek\Desktop\rfiiz73m.exe[3368] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Users\Krzysiek\Desktop\rfiiz73m.exe[3368] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Users\Krzysiek\Desktop\rfiiz73m.exe[3368] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Users\Krzysiek\Desktop\rfiiz73m.exe[3368] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Users\Krzysiek\Desktop\rfiiz73m.exe[3368] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Users\Krzysiek\Desktop\rfiiz73m.exe[3368] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Users\Krzysiek\Desktop\rfiiz73m.exe[3368] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Users\Krzysiek\Desktop\rfiiz73m.exe[3368] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Users\Krzysiek\Desktop\rfiiz73m.exe[3368] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Users\Krzysiek\Desktop\rfiiz73m.exe[3368] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Users\Krzysiek\Desktop\rfiiz73m.exe[3368] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Users\Krzysiek\Desktop\rfiiz73m.exe[3368] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Program Files\Glary Utilities 4\Integrator.exe[3448] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Glary Utilities 4\Integrator.exe[3448] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Glary Utilities 4\Integrator.exe[3448] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Program Files\Glary Utilities 4\Integrator.exe[3448] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Program Files\Glary Utilities 4\Integrator.exe[3448] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Program Files\Glary Utilities 4\Integrator.exe[3448] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Program Files\Glary Utilities 4\Integrator.exe[3448] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Program Files\Glary Utilities 4\Integrator.exe[3448] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Program Files\Glary Utilities 4\Integrator.exe[3448] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 717B000A .text C:\Program Files\Glary Utilities 4\Integrator.exe[3448] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 7178000A .text C:\Program Files\Glary Utilities 4\Integrator.exe[3448] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 717E000A .text C:\Program Files\Glary Utilities 4\Integrator.exe[3448] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7181000A .text C:\Program Files\Glary Utilities 4\Integrator.exe[3448] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Program Files\Glary Utilities 4\Integrator.exe[3448] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Program Files\Glary Utilities 4\Integrator.exe[3448] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A .text C:\Program Files\Glary Utilities 4\Integrator.exe[3448] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Program Files\Glary Utilities 4\Integrator.exe[3448] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchIndexer.exe[3504] ntdll.dll!NtAlpcSendWaitReceivePort 770A46C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[3504] ntdll.dll!NtAlpcSendWaitReceivePort + 4 770A46C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\SearchIndexer.exe[3504] ntdll.dll!NtClose 770A4770 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[3504] ntdll.dll!NtClose + 4 770A4774 2 Bytes [AE, 71] .text C:\Windows\system32\SearchIndexer.exe[3504] ntdll.dll!LdrUnloadDll 770BBEAF 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchIndexer.exe[3504] kernel32.dll!CreateProcessW 75A5202D 6 Bytes JMP 719F000A .text C:\Windows\system32\SearchIndexer.exe[3504] kernel32.dll!CreateProcessA 75A52062 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchIndexer.exe[3504] kernel32.dll!CreateProcessAsUserW 75A879B4 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchIndexer.exe[3504] ADVAPI32.dll!CreateProcessAsUserA 759F14FD 6 Bytes JMP 7199000A .text C:\Windows\system32\SearchIndexer.exe[3504] ADVAPI32.dll!CreateProcessWithLogonW 759F42A1 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchIndexer.exe[3504] USER32.dll!SetWindowsHookExW 76E6210A 6 Bytes JMP 7181000A .text C:\Windows\system32\SearchIndexer.exe[3504] USER32.dll!SetWinEventHook 76E6507E 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchIndexer.exe[3504] USER32.dll!SetWindowsHookExA 76E86DFA 6 Bytes JMP 7184000A .text C:\Windows\system32\SearchIndexer.exe[3504] GDI32.dll!DeleteDC 771B6A2C 6 Bytes JMP 7187000A .text C:\Windows\system32\SearchIndexer.exe[3504] GDI32.dll!CreateDCA 771B9975 6 Bytes JMP 7190000A .text C:\Windows\system32\SearchIndexer.exe[3504] GDI32.dll!CreateDCW 771BBD21 6 Bytes JMP 718D000A .text C:\Windows\system32\SearchIndexer.exe[3504] GDI32.dll!GetPixel 771BC714 6 Bytes JMP 718A000A ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\Explorer.EXE[3200] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73BF2494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[3200] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73BD5624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[3200] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73BD56E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[3200] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73BF250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[3200] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73BE8573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[3200] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73BE4D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[3200] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73BE50CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[3200] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73BE51A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[3200] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73BE66D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[3200] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73BE82CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[3200] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73BE8819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[3200] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73BE907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[3200] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73BEE21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[3200] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73BE4C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll ---- Devices - GMER 2.2 ---- AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001d60a7ba2e Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001d60a7ba2e (not active ControlSet) ---- EOF - GMER 2.2 ----