GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-07 04:20:19 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.LV01 298,09GB Running: 339r9j5d.exe; Driver: C:\Users\BEATAH~1\AppData\Local\Temp\kfliipow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x8F947228] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x8F947414] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwConnectPort [0x8F946588] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateFile [0x8F946E8E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSection [0x8F946C42] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x8F947F8C] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThread [0x8F945F74] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwLoadDriver [0x8F9479BE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x8F946850] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenFile [0x8F94706A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenSection [0x8F946AEA] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0x8F947CAA] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x8F9467BA] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0x8F9469D6] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateProcess [0x8F94638A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateThread [0x8F946178] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThreadEx [0x8F947642] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 119 820AC7DC 4 Bytes [28, 72, 94, 8F] .text ntkrnlpa.exe!KeSetEvent + 13D 820AC800 4 Bytes [14, 74, 94, 8F] .text ntkrnlpa.exe!KeSetEvent + 1C1 820AC884 4 Bytes [88, 65, 94, 8F] .text ntkrnlpa.exe!KeSetEvent + 1D9 820AC89C 4 Bytes [8E, 6E, 94, 8F] .text ntkrnlpa.exe!KeSetEvent + 215 820AC8D8 4 Bytes [42, 6C, 94, 8F] .text ... .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8A95B000, 0x4036D, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8A9A4000, 0x510, 0x40000040] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E609000, 0x1E73A0, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\Dwm.exe[220] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\Dwm.exe[220] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[220] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\Dwm.exe[220] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[220] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\Dwm.exe[220] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\Dwm.exe[220] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 7198000A .text C:\Windows\system32\Dwm.exe[220] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\Dwm.exe[220] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7195000A .text C:\Windows\system32\Dwm.exe[220] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7192000A .text C:\Windows\system32\Dwm.exe[220] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 7186000A .text C:\Windows\system32\Dwm.exe[220] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 718C000A .text C:\Windows\system32\Dwm.exe[220] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 718F000A .text C:\Windows\system32\Dwm.exe[220] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 7189000A .text C:\Windows\system32\Dwm.exe[220] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7183000A .text C:\Windows\system32\Dwm.exe[220] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7180000A .text C:\Windows\system32\Dwm.exe[220] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 717D000A .text C:\Users\beata h\Pulpit\339r9j5d.exe[320] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Users\beata h\Pulpit\339r9j5d.exe[320] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Users\beata h\Pulpit\339r9j5d.exe[320] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Users\beata h\Pulpit\339r9j5d.exe[320] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Users\beata h\Pulpit\339r9j5d.exe[320] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Users\beata h\Pulpit\339r9j5d.exe[320] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Users\beata h\Pulpit\339r9j5d.exe[320] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Users\beata h\Pulpit\339r9j5d.exe[320] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Users\beata h\Pulpit\339r9j5d.exe[320] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Users\beata h\Pulpit\339r9j5d.exe[320] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Users\beata h\Pulpit\339r9j5d.exe[320] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Users\beata h\Pulpit\339r9j5d.exe[320] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Users\beata h\Pulpit\339r9j5d.exe[320] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Users\beata h\Pulpit\339r9j5d.exe[320] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Users\beata h\Pulpit\339r9j5d.exe[320] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Users\beata h\Pulpit\339r9j5d.exe[320] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Users\beata h\Pulpit\339r9j5d.exe[320] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[404] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\Explorer.EXE[404] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[404] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\Explorer.EXE[404] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[404] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\Explorer.EXE[404] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\Explorer.EXE[404] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 7198000A .text C:\Windows\Explorer.EXE[404] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\Explorer.EXE[404] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7195000A .text C:\Windows\Explorer.EXE[404] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7192000A .text C:\Windows\Explorer.EXE[404] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 7186000A .text C:\Windows\Explorer.EXE[404] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 718C000A .text C:\Windows\Explorer.EXE[404] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 718F000A .text C:\Windows\Explorer.EXE[404] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 7189000A .text C:\Windows\Explorer.EXE[404] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7183000A .text C:\Windows\Explorer.EXE[404] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7180000A .text C:\Windows\Explorer.EXE[404] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 717D000A .text C:\Windows\system32\svchost.exe[524] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[524] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[524] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[524] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[524] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[524] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[524] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[524] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[524] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[524] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[524] RPCRT4.dll!RpcServerRegisterIfEx 75E1929C 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[524] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[524] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[524] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[524] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[524] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[524] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[524] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718A000A .text C:\Windows\system32\csrss.exe[656] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 5 Bytes JMP 756D1EB0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[656] ntdll.dll!NtReplyWaitReceivePort 77144F74 5 Bytes JMP 756D15D0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[656] ntdll.dll!NtReplyWaitReceivePortEx 77144F84 5 Bytes JMP 756D1A40 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\wininit.exe[720] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\wininit.exe[720] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[720] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [14, 71] {ADC AL, 0x71} .text C:\Windows\system32\wininit.exe[720] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[720] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\wininit.exe[720] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\wininit.exe[720] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\wininit.exe[720] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\wininit.exe[720] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\wininit.exe[720] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!RegisterRawInputDevices 757A6161 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[720] USER32.dll!RegisterRawInputDevices + 4 757A6165 2 Bytes [35, 71] .text C:\Windows\system32\wininit.exe[720] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7175000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!SystemParametersInfoA 757A82E1 6 Bytes JMP 7121000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!GetAsyncKeyState 757A863C 6 Bytes JMP 7139000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7172000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!SendNotifyMessageW 757A93D6 6 Bytes JMP 714B000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!MoveWindow 757A989F 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[720] USER32.dll!MoveWindow + 4 757A98A3 2 Bytes [2F, 71] .text C:\Windows\system32\wininit.exe[720] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 716F000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!SetParent 757AA2AA 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[720] USER32.dll!SetParent + 4 757AA2AE 2 Bytes [32, 71] .text C:\Windows\system32\wininit.exe[720] USER32.dll!PostThreadMessageA 757ABD34 6 Bytes JMP 7166000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!GetKeyboardState 757ABD7D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[720] USER32.dll!GetKeyboardState + 4 757ABD81 2 Bytes [3E, 71] .text C:\Windows\system32\wininit.exe[720] USER32.dll!RegisterHotKey 757ABDA5 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[720] USER32.dll!RegisterHotKey + 4 757ABDA9 2 Bytes [23, 71] .text C:\Windows\system32\wininit.exe[720] USER32.dll!EnableWindow 757ACD8B 6 Bytes JMP 711B000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!PostMessageA 757AF8F8 6 Bytes JMP 716C000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!SendMessageA 757AF956 6 Bytes JMP 7160000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!SendMessageTimeoutW 757B352D 6 Bytes JMP 7157000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!SendMessageCallbackW 757B4570 6 Bytes JMP 7151000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!PostThreadMessageW 757B7C8E 6 Bytes JMP 7163000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!GetKeyState 757B8CB1 6 Bytes JMP 713C000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!PostMessageW 757BA175 6 Bytes JMP 7169000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!SendMessageW 757C0AED 6 Bytes JMP 715D000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!SystemParametersInfoW 757C11D8 6 Bytes JMP 711E000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!SendDlgItemMessageA 757C275B 6 Bytes JMP 7148000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!SetClipboardViewer 757CBA2D 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[720] USER32.dll!SetClipboardViewer + 4 757CBA31 2 Bytes [2C, 71] {SUB AL, 0x71} .text C:\Windows\system32\wininit.exe[720] USER32.dll!SendNotifyMessageA 757CDFCF 6 Bytes JMP 714E000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!BlockInput 757CFF0A 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[720] USER32.dll!BlockInput + 4 757CFF0E 2 Bytes [29, 71] .text C:\Windows\system32\wininit.exe[720] USER32.dll!SendMessageTimeoutA 757D0006 6 Bytes JMP 715A000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!mouse_event 757D044E 6 Bytes JMP 7178000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!SendDlgItemMessageW 757D0E38 6 Bytes JMP 7145000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!SendInput 757D2F75 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[720] USER32.dll!SendInput + 4 757D2F79 2 Bytes [41, 71] .text C:\Windows\system32\wininit.exe[720] USER32.dll!GetClipboardData 757E715A 6 Bytes JMP 7127000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!ExitWindowsEx 757EB7C3 6 Bytes JMP 7118000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!keybd_event 757FD972 6 Bytes JMP 717B000A .text C:\Windows\system32\wininit.exe[720] USER32.dll!SendMessageCallbackA 75802CA7 6 Bytes JMP 7154000A .text C:\Windows\system32\wininit.exe[720] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\system32\wininit.exe[720] GDI32.dll!BitBlt 761170A6 6 Bytes JMP 7187000A .text C:\Windows\system32\wininit.exe[720] GDI32.dll!StretchBlt 761193D6 6 Bytes JMP 717E000A .text C:\Windows\system32\wininit.exe[720] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\system32\wininit.exe[720] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\system32\wininit.exe[720] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\system32\wininit.exe[720] GDI32.dll!MaskBlt 7611C5CB 6 Bytes JMP 7184000A .text C:\Windows\system32\wininit.exe[720] GDI32.dll!PlgBlt 7612EB50 6 Bytes JMP 7181000A .text C:\Windows\system32\csrss.exe[732] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 5 Bytes JMP 756D1EB0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[732] ntdll.dll!NtReplyWaitReceivePort 77144F74 5 Bytes JMP 756D15D0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[732] ntdll.dll!NtReplyWaitReceivePortEx 77144F84 5 Bytes JMP 756D1A40 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\services.exe[772] services.exe 00941628 4 Bytes [70, 39, 01, 10] {JO 0x3b; ADD [EAX], EDX} .text C:\Windows\system32\services.exe[772] services.exe 00941638 4 Bytes [50, 3D, 01, 10] .text C:\Windows\system32\services.exe[772] services.exe 00941658 4 Bytes [D0, 36, 01, 10] {SAL BYTE [ESI], 0x1; ADD [EAX], EDX} .text C:\Windows\system32\services.exe[772] services.exe 00941668 4 Bytes [70, 3B, 01, 10] {JO 0x3d; ADD [EAX], EDX} .text C:\Windows\system32\services.exe[772] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\services.exe[772] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[772] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\services.exe[772] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[772] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\services.exe[772] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\services.exe[772] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\services.exe[772] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\services.exe[772] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\services.exe[772] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\services.exe[772] RPCRT4.dll!RpcServerRegisterIfEx 75E1929C 6 Bytes JMP 7193000A .text C:\Windows\system32\services.exe[772] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7184000A .text C:\Windows\system32\services.exe[772] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7181000A .text C:\Windows\system32\services.exe[772] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\services.exe[772] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 7187000A .text C:\Windows\system32\services.exe[772] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 718D000A .text C:\Windows\system32\services.exe[772] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7190000A .text C:\Windows\system32\services.exe[772] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718A000A .text C:\Windows\system32\lsass.exe[816] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsass.exe[816] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[816] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\lsass.exe[816] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[816] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\lsass.exe[816] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\lsass.exe[816] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\lsass.exe[816] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\lsass.exe[816] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\lsass.exe[816] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\lsass.exe[816] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\system32\lsass.exe[816] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\system32\lsass.exe[816] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\system32\lsass.exe[816] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\system32\lsass.exe[816] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\system32\lsass.exe[816] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\system32\lsass.exe[816] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\system32\lsm.exe[824] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsm.exe[824] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[824] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\lsm.exe[824] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[824] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\lsm.exe[824] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\lsm.exe[824] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\lsm.exe[824] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\lsm.exe[824] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\lsm.exe[824] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\lsm.exe[824] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\system32\lsm.exe[824] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\system32\lsm.exe[824] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\system32\lsm.exe[824] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\system32\lsm.exe[824] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\system32\lsm.exe[824] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\system32\lsm.exe[824] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[976] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[976] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[976] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[976] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[976] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[976] RPCRT4.dll!RpcServerRegisterIfEx 75E1929C 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[976] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[976] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[976] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[976] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[976] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[976] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[976] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718A000A .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1024] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1024] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1024] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1024] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1024] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1024] KERNEL32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1024] KERNEL32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1024] KERNEL32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1024] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1024] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1024] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1024] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1024] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1024] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1024] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1024] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[1024] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1072] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1072] RPCRT4.dll!RpcServerRegisterIfEx 75E1929C 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1072] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1072] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1072] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1072] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1072] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1072] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1072] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1072] rpcss.dll!WhichService 71D63F84 8 Bytes [10, 33, 01, 10, D0, 30, 01, ...] {ADC [EBX], DH; ADD [EAX], EDX; SAL BYTE [EAX], 0x1; ADD [EAX], EDX} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1172] ntdll.dll!NtAllocateVirtualMemory 77143FA4 2 Bytes JMP 00AD3FD0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1172] ntdll.dll!NtAllocateVirtualMemory + 3 77143FA7 2 Bytes [99, 89] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1172] ntdll.dll!NtCreateFile 77144244 5 Bytes JMP 00B0DB90 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Windows\system32\svchost.exe[1220] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1220] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1220] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\svchost.exe[1220] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1220] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1220] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1220] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1220] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1220] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1220] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1220] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1220] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[1240] ntdll.dll!NtAllocateVirtualMemory 77143FA4 5 Bytes JMP 00FD2FB0 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text C:\Windows\system32\Ati2evxx.exe[1268] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\Ati2evxx.exe[1268] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Ati2evxx.exe[1268] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\Ati2evxx.exe[1268] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Ati2evxx.exe[1268] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\Ati2evxx.exe[1268] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\Ati2evxx.exe[1268] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\Ati2evxx.exe[1268] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\Ati2evxx.exe[1268] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\system32\Ati2evxx.exe[1268] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\system32\Ati2evxx.exe[1268] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\system32\Ati2evxx.exe[1268] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\system32\Ati2evxx.exe[1268] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\system32\Ati2evxx.exe[1268] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\system32\Ati2evxx.exe[1268] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\system32\Ati2evxx.exe[1268] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\Ati2evxx.exe[1268] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1284] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1284] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1284] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\System32\svchost.exe[1284] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1284] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1284] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1284] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1284] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\System32\svchost.exe[1284] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1284] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1284] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1284] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1284] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1284] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1284] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1284] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1284] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1316] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1316] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1316] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\System32\svchost.exe[1316] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1316] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1316] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1316] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1316] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\System32\svchost.exe[1316] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1316] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1316] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1316] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1316] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1316] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1316] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1316] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1316] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1344] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1344] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1344] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1344] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1344] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1344] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1344] RPCRT4.dll!RpcServerRegisterIfEx 75E1929C 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1344] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1344] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1344] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1344] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1344] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718A000A .text C:\Windows\system32\AUDIODG.EXE[1404] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A7001E .text C:\Windows\system32\AUDIODG.EXE[1404] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[1404] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\AUDIODG.EXE[1404] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[1404] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\AUDIODG.EXE[1404] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719E001E .text C:\Windows\system32\AUDIODG.EXE[1404] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719B001E .text C:\Windows\system32\AUDIODG.EXE[1404] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\AUDIODG.EXE[1404] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7198001E .text C:\Windows\system32\AUDIODG.EXE[1404] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7195001E .text C:\Windows\system32\AUDIODG.EXE[1404] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 7189001E .text C:\Windows\system32\AUDIODG.EXE[1404] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 718F001E .text C:\Windows\system32\AUDIODG.EXE[1404] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7192001E .text C:\Windows\system32\AUDIODG.EXE[1404] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718C001E .text C:\Windows\system32\AUDIODG.EXE[1404] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7186001E .text C:\Windows\system32\AUDIODG.EXE[1404] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7183001E .text C:\Windows\system32\AUDIODG.EXE[1404] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7180001E .text C:\Windows\system32\svchost.exe[1432] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1432] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1432] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\svchost.exe[1432] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1432] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1432] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1432] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1432] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1432] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1432] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1432] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1432] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1432] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1432] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1492] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1492] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1492] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1492] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1492] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1492] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1492] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1492] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1492] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\system32\conime.exe[1836] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\conime.exe[1836] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conime.exe[1836] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\conime.exe[1836] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conime.exe[1836] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\conime.exe[1836] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\conime.exe[1836] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 7198000A .text C:\Windows\system32\conime.exe[1836] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\conime.exe[1836] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7195000A .text C:\Windows\system32\conime.exe[1836] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7192000A .text C:\Windows\system32\conime.exe[1836] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 7186000A .text C:\Windows\system32\conime.exe[1836] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 718C000A .text C:\Windows\system32\conime.exe[1836] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 718F000A .text C:\Windows\system32\conime.exe[1836] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 7189000A .text C:\Windows\system32\conime.exe[1836] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7183000A .text C:\Windows\system32\conime.exe[1836] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7180000A .text C:\Windows\system32\conime.exe[1836] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 717D000A .text C:\Windows\system32\taskeng.exe[1940] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskeng.exe[1940] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1940] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\taskeng.exe[1940] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1940] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\taskeng.exe[1940] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\taskeng.exe[1940] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\taskeng.exe[1940] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\taskeng.exe[1940] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\taskeng.exe[1940] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\taskeng.exe[1940] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\system32\taskeng.exe[1940] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\system32\taskeng.exe[1940] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\system32\taskeng.exe[1940] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\system32\taskeng.exe[1940] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\system32\taskeng.exe[1940] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\system32\taskeng.exe[1940] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\System32\spoolsv.exe[1952] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\System32\spoolsv.exe[1952] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1952] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\System32\spoolsv.exe[1952] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1952] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\System32\spoolsv.exe[1952] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\System32\spoolsv.exe[1952] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\System32\spoolsv.exe[1952] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\System32\spoolsv.exe[1952] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\System32\spoolsv.exe[1952] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\System32\spoolsv.exe[1952] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\System32\spoolsv.exe[1952] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\System32\spoolsv.exe[1952] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\System32\spoolsv.exe[1952] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\System32\spoolsv.exe[1952] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\System32\spoolsv.exe[1952] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\System32\spoolsv.exe[1952] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\system32\Ati2evxx.exe[1972] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\Ati2evxx.exe[1972] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Ati2evxx.exe[1972] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\Ati2evxx.exe[1972] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Ati2evxx.exe[1972] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\Ati2evxx.exe[1972] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\Ati2evxx.exe[1972] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\Ati2evxx.exe[1972] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\Ati2evxx.exe[1972] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\system32\Ati2evxx.exe[1972] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\system32\Ati2evxx.exe[1972] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\system32\Ati2evxx.exe[1972] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\system32\Ati2evxx.exe[1972] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\system32\Ati2evxx.exe[1972] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\system32\Ati2evxx.exe[1972] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\system32\Ati2evxx.exe[1972] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\Ati2evxx.exe[1972] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2060] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\agrsmsvc.exe[2128] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\agrsmsvc.exe[2128] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\agrsmsvc.exe[2128] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\agrsmsvc.exe[2128] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\agrsmsvc.exe[2128] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\agrsmsvc.exe[2128] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\agrsmsvc.exe[2128] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\agrsmsvc.exe[2128] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\agrsmsvc.exe[2128] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\agrsmsvc.exe[2128] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\agrsmsvc.exe[2128] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\system32\agrsmsvc.exe[2128] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\system32\agrsmsvc.exe[2128] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\system32\agrsmsvc.exe[2128] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\system32\agrsmsvc.exe[2128] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\system32\agrsmsvc.exe[2128] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\system32\agrsmsvc.exe[2128] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2160] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2160] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2160] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [79, 71] {JNS 0x73} .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2160] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2160] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2160] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2160] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 7198000A .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2160] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2160] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 7186000A .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2160] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 718C000A .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2160] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 718F000A .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2160] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 7189000A .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2160] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7183000A .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2160] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7180000A .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2160] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 717D000A .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2160] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7195000A .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2160] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7192000A .text C:\Windows\system32\svchost.exe[2228] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[2228] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2228] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\svchost.exe[2228] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2228] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2228] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[2228] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[2228] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[2228] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[2228] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[2228] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[2228] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[2228] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[2228] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[2228] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[2228] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[2228] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2384] ntdll.dll!NtAllocateVirtualMemory 77143FA4 5 Bytes JMP 00BE1000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Windows\system32\svchost.exe[2396] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[2396] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2396] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\svchost.exe[2396] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2396] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2396] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[2396] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[2396] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[2396] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[2396] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[2396] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[2396] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[2396] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[2396] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[2396] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[2396] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[2396] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2428] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2428] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2428] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2428] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2428] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2428] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2428] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2428] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2428] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2428] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2428] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2428] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2428] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2428] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2428] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2428] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2428] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\TODDSrv.exe[2460] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\TODDSrv.exe[2460] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\TODDSrv.exe[2460] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\TODDSrv.exe[2460] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\TODDSrv.exe[2460] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\TODDSrv.exe[2460] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\TODDSrv.exe[2460] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\TODDSrv.exe[2460] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\TODDSrv.exe[2460] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\system32\TODDSrv.exe[2460] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\system32\TODDSrv.exe[2460] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\system32\TODDSrv.exe[2460] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\system32\TODDSrv.exe[2460] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\system32\TODDSrv.exe[2460] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\system32\TODDSrv.exe[2460] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\system32\TODDSrv.exe[2460] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\TODDSrv.exe[2460] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2484] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2484] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2484] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2484] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2484] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2484] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2484] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2484] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2484] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2484] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2484] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2484] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2484] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2484] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2484] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2484] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2484] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2544] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2544] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2544] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2544] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2544] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2544] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2544] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2544] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2544] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2544] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2544] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2544] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2544] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2544] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2544] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2544] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2544] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2568] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2568] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2568] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2568] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2568] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2568] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2568] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2568] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2568] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2568] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2568] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2568] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2568] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2568] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2568] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2568] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe[2568] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[2608] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[2608] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[2608] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\System32\svchost.exe[2608] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[2608] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[2608] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[2608] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[2608] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\System32\svchost.exe[2608] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[2608] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[2608] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[2608] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[2608] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[2608] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[2608] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[2608] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[2608] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\system32\SearchIndexer.exe[2632] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchIndexer.exe[2632] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2632] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\SearchIndexer.exe[2632] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2632] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\SearchIndexer.exe[2632] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\SearchIndexer.exe[2632] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchIndexer.exe[2632] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\SearchIndexer.exe[2632] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchIndexer.exe[2632] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchIndexer.exe[2632] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7184000A .text C:\Windows\system32\SearchIndexer.exe[2632] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7181000A .text C:\Windows\system32\SearchIndexer.exe[2632] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchIndexer.exe[2632] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 7187000A .text C:\Windows\system32\SearchIndexer.exe[2632] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 718D000A .text C:\Windows\system32\SearchIndexer.exe[2632] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7190000A .text C:\Windows\system32\SearchIndexer.exe[2632] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718A000A .text C:\Program Files\Windows Sidebar\sidebar.exe[2808] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Program Files\Windows Sidebar\sidebar.exe[2808] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Sidebar\sidebar.exe[2808] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [6F, 71] .text C:\Program Files\Windows Sidebar\sidebar.exe[2808] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Sidebar\sidebar.exe[2808] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Program Files\Windows Sidebar\sidebar.exe[2808] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 7197000A .text C:\Program Files\Windows Sidebar\sidebar.exe[2808] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 7194000A .text C:\Program Files\Windows Sidebar\sidebar.exe[2808] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Program Files\Windows Sidebar\sidebar.exe[2808] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7191000A .text C:\Program Files\Windows Sidebar\sidebar.exe[2808] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 718E000A .text C:\Program Files\Windows Sidebar\sidebar.exe[2808] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 717C000A .text C:\Program Files\Windows Sidebar\sidebar.exe[2808] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7188000A .text C:\Program Files\Windows Sidebar\sidebar.exe[2808] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 718B000A .text C:\Program Files\Windows Sidebar\sidebar.exe[2808] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 7185000A .text C:\Program Files\Windows Sidebar\sidebar.exe[2808] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7179000A .text C:\Program Files\Windows Sidebar\sidebar.exe[2808] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7176000A .text C:\Program Files\Windows Sidebar\sidebar.exe[2808] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7173000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2820] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2820] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2820] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2820] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2820] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2820] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2820] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2820] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2820] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2820] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2820] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2820] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2820] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2820] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2820] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2820] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2820] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe[2984] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe[2984] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe[2984] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe[2984] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe[2984] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe[2984] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe[2984] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe[2984] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe[2984] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe[2984] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe[2984] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe[2984] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe[2984] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe[2984] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe[2984] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe[2984] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe[2984] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] ntdll.dll!LdrLoadDll 77109378 5 Bytes JMP 6501D2A0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] kernel32.dll!HeapSetInformation + 26 75D3A8B0 1 Byte [E9] .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] kernel32.dll!HeapSetInformation + 26 75D3A8B0 7 Bytes JMP 65032245 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] kernel32.dll!LockResource + C 75D56ACB 7 Bytes JMP 6536E7C3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] kernel32.dll!VirtualAllocEx + 54 75D5AF50 7 Bytes JMP 6536E7E6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] GDI32.dll!SetStretchBltMode + 256 7611745C 7 Bytes JMP 6536E744 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3084] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3284] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\system32\wbem\unsecapp.exe[3452] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\wbem\unsecapp.exe[3452] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\unsecapp.exe[3452] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\wbem\unsecapp.exe[3452] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\unsecapp.exe[3452] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\wbem\unsecapp.exe[3452] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\wbem\unsecapp.exe[3452] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\wbem\unsecapp.exe[3452] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\wbem\unsecapp.exe[3452] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\wbem\unsecapp.exe[3452] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\wbem\unsecapp.exe[3452] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\system32\wbem\unsecapp.exe[3452] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\system32\wbem\unsecapp.exe[3452] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\system32\wbem\unsecapp.exe[3452] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\system32\wbem\unsecapp.exe[3452] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\system32\wbem\unsecapp.exe[3452] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\system32\wbem\unsecapp.exe[3452] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\system32\wbem\wmiprvse.exe[3636] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\wbem\wmiprvse.exe[3636] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\wmiprvse.exe[3636] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\wbem\wmiprvse.exe[3636] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\wmiprvse.exe[3636] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\wbem\wmiprvse.exe[3636] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\wbem\wmiprvse.exe[3636] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\wbem\wmiprvse.exe[3636] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\wbem\wmiprvse.exe[3636] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\wbem\wmiprvse.exe[3636] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\wbem\wmiprvse.exe[3636] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\system32\wbem\wmiprvse.exe[3636] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\system32\wbem\wmiprvse.exe[3636] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\system32\wbem\wmiprvse.exe[3636] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\system32\wbem\wmiprvse.exe[3636] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\system32\wbem\wmiprvse.exe[3636] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\system32\wbem\wmiprvse.exe[3636] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[3760] ntdll.dll!LdrUnloadDll 7711B680 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[3760] ntdll.dll!NtAlpcSendWaitReceivePort 771440E4 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3760] ntdll.dll!NtAlpcSendWaitReceivePort + 4 771440E8 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\svchost.exe[3760] ntdll.dll!NtClose 77144184 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3760] ntdll.dll!NtClose + 4 77144188 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[3760] kernel32.dll!CreateProcessW 75D11BF3 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[3760] kernel32.dll!CreateProcessA 75D11C28 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[3760] kernel32.dll!LoadLibraryExW + 173 75D393DF 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[3760] ADVAPI32.dll!CreateProcessAsUserA 7726CEB9 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[3760] ADVAPI32.dll!CreateProcessAsUserW 77281EE9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[3760] USER32.dll!SetWindowsHookExA 757A6322 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[3760] USER32.dll!SetWindowsHookExW 757A87AD 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[3760] USER32.dll!SetWinEventHook 757A9F3A 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[3760] GDI32.dll!DeleteDC 761168CD 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[3760] GDI32.dll!CreateDCW 7611A91D 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[3760] GDI32.dll!CreateDCA 7611AA49 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[3760] GDI32.dll!GetPixel 7611BE90 6 Bytes JMP 718D000A ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- EOF - GMER 2.1 ----