GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-17 14:30:44 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK2552GSX rev.LV011C 232,89GB Running: uhy4ji1z.exe; Driver: C:\Users\Grucha\AppData\Local\Temp\pxldrpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x90D499FE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x90D49BF2] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwConnectPort [0x90D48CAE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateFile [0x90D4962C] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSection [0x90D493BE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x90D4A7B2] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x93E2DF80] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThreadEx [0x90D49E3C] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x93E2E040] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x90D48F92] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenFile [0x90D49824] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenSection [0x90D49246] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x93E2E000] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x90D48EFC] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x93E2DFC0] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateProcess [0x90D48A8E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateThread [0x90D4885C] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 83287A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832C1212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 832C846C 4 Bytes [FE, 99, D4, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 832C8494 4 Bytes [F2, 9B, D4, 90] {WAIT ; AAM 0x90} .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 832C8528 4 Bytes [AE, 8C, D4, 90] {SCASB ; MOV ESP, SS; NOP } .text ntkrnlpa.exe!KeRemoveQueueEx + 11AF 832C8544 4 Bytes [2C, 96, D4, 90] {SUB AL, 0x96; AAM 0x90} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 832C858C 4 Bytes [BE, 93, D4, 90] .text ... .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x9480C340, 0x3E0487, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[272] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[272] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[272] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[272] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[272] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[272] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[272] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[272] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[272] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[272] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[272] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[272] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[272] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[272] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[272] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[272] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[272] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Nokia\ADUService\ADUService.exe[372] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Nokia\ADUService\ADUService.exe[372] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Nokia\ADUService\ADUService.exe[372] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Nokia\ADUService\ADUService.exe[372] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Nokia\ADUService\ADUService.exe[372] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Nokia\ADUService\ADUService.exe[372] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Nokia\ADUService\ADUService.exe[372] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Nokia\ADUService\ADUService.exe[372] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Nokia\ADUService\ADUService.exe[372] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Nokia\ADUService\ADUService.exe[372] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Nokia\ADUService\ADUService.exe[372] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Nokia\ADUService\ADUService.exe[372] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Nokia\ADUService\ADUService.exe[372] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Nokia\ADUService\ADUService.exe[372] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Nokia\ADUService\ADUService.exe[372] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Nokia\ADUService\ADUService.exe[372] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Nokia\ADUService\ADUService.exe[372] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] kernel32.dll!SetUnhandledExceptionFilter 7619F5AB 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[384] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\csrss.exe[456] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 5 Bytes JMP 75C32270 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[456] ntdll.dll!NtReplyWaitReceivePort 77C36458 5 Bytes JMP 75C31970 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[456] ntdll.dll!NtReplyWaitReceivePortEx 77C36468 5 Bytes JMP 75C31DF0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe[472] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe[472] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe[472] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe[472] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe[472] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe[472] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe[472] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe[472] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe[472] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe[472] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe[472] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe[472] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe[472] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe[472] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe[472] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe[472] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe[472] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[520] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[520] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[520] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[520] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[520] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[520] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[520] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[520] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[520] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[520] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[520] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[520] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[520] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[520] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[520] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[520] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[520] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\csrss.exe[536] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 5 Bytes JMP 75C32270 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[536] ntdll.dll!NtReplyWaitReceivePort 77C36458 5 Bytes JMP 75C31970 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[536] ntdll.dll!NtReplyWaitReceivePortEx 77C36468 5 Bytes JMP 75C31DF0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\services.exe[588] services.exe 00531608 4 Bytes [40, 5A, 01, 10] {INC EAX; POP EDX; ADD [EAX], EDX} .text C:\Windows\system32\services.exe[588] services.exe 00531618 4 Bytes [20, 5E, 01, 10] .text C:\Windows\system32\services.exe[588] services.exe 00531638 4 Bytes [A0, 57, 01, 10] .text C:\Windows\system32\services.exe[588] services.exe 00531648 4 Bytes [40, 5C, 01, 10] {INC EAX; POP ESP; ADD [EAX], EDX} .text C:\Windows\system32\services.exe[588] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[588] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\services.exe[588] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[588] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\services.exe[588] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\services.exe[588] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\services.exe[588] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\services.exe[588] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\services.exe[588] RPCRT4.dll!RpcServerRegisterIfEx 774C0898 6 Bytes JMP 7190000A .text C:\Windows\system32\services.exe[588] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717B000A .text C:\Windows\system32\services.exe[588] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 7178000A .text C:\Windows\system32\services.exe[588] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 717E000A .text C:\Windows\system32\services.exe[588] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\services.exe[588] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\services.exe[588] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\services.exe[588] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718A000A .text C:\Windows\system32\services.exe[588] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\services.exe[588] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\lsass.exe[604] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[604] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsass.exe[604] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[604] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\lsass.exe[604] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsass.exe[604] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\lsass.exe[604] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\lsass.exe[604] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\lsass.exe[604] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\lsass.exe[604] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\lsass.exe[604] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\lsass.exe[604] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\lsass.exe[604] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\lsass.exe[604] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\lsass.exe[604] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\lsass.exe[604] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\lsass.exe[604] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\lsm.exe[612] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[612] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsm.exe[612] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[612] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\lsm.exe[612] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsm.exe[612] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\lsm.exe[612] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\lsm.exe[612] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\lsm.exe[612] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\lsm.exe[612] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\lsm.exe[612] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\lsm.exe[612] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\lsm.exe[612] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\lsm.exe[612] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\lsm.exe[612] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\lsm.exe[612] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\lsm.exe[612] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[772] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[772] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[772] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[772] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[772] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[772] RPCRT4.dll!RpcServerRegisterIfEx 774C0898 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[772] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[772] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[772] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[772] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[772] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[772] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[772] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[772] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[772] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\nvvsvc.exe[840] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[840] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\nvvsvc.exe[840] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[840] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\nvvsvc.exe[840] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\nvvsvc.exe[840] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\nvvsvc.exe[840] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\nvvsvc.exe[840] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\nvvsvc.exe[840] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\nvvsvc.exe[840] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\nvvsvc.exe[840] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\nvvsvc.exe[840] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\nvvsvc.exe[840] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\nvvsvc.exe[840] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\nvvsvc.exe[840] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\nvvsvc.exe[840] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\nvvsvc.exe[840] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[876] RPCRT4.dll!RpcServerRegisterIfEx 774C0898 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[876] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[876] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[876] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[876] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[876] rpcss.dll!CoGetComCatalog 751735EC 8 Bytes [80, 4F, 01, 10, 40, 4D, 01, ...] {OR BYTE [EDI+0x1], 0x10; INC EAX; DEC EBP; ADD [EAX], EDX} .text C:\Windows\system32\svchost.exe[948] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[948] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[948] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[948] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[948] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[948] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[948] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[948] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[948] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[948] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[948] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[948] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[976] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 00F03760 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[976] ntdll.dll!NtCreateFile 77C35608 5 Bytes JMP 00F4D090 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Windows\system32\svchost.exe[1036] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1036] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1036] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1036] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1036] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1036] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1036] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1036] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1036] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1036] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1036] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1036] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1036] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1036] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1076] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1076] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1076] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1076] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1076] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1076] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1076] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1076] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1076] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1076] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1076] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1076] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1076] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1076] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1076] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1076] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1076] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1108] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1108] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1108] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1108] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1108] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1108] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1108] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1108] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1108] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1108] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1108] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1108] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1148] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1148] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1148] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1148] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1148] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1148] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1148] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1148] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1148] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1148] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1148] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1148] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1180] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1180] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1180] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1180] RPCRT4.dll!RpcServerRegisterIfEx 774C0898 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1180] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1180] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1180] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1180] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1180] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1180] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe[1212] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe[1212] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe[1212] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe[1212] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe[1212] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe[1212] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe[1212] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe[1212] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe[1212] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe[1212] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe[1212] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe[1212] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe[1212] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe[1212] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe[1212] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe[1212] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe[1212] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtCreateFile + 6 77C3560E 4 Bytes [28, 30, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtCreateFile + B 77C35613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtMapViewOfSection + 6 77C35C6E 4 Bytes [28, 33, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtMapViewOfSection + B 77C35C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtOpenFile + 6 77C35D1E 4 Bytes [68, 30, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtOpenFile + B 77C35D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtOpenProcess + 6 77C35DCE 4 Bytes [A8, 31, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtOpenProcess + B 77C35DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtOpenProcessToken + B 77C35DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtOpenProcessTokenEx + 6 77C35DEE 4 Bytes [A8, 32, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtOpenProcessTokenEx + B 77C35DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtOpenThread + 6 77C35E4E 4 Bytes [68, 31, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtOpenThread + B 77C35E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtOpenThreadToken + 6 77C35E5E 4 Bytes [68, 32, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtOpenThreadToken + B 77C35E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtOpenThreadTokenEx + B 77C35E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtQueryAttributesFile + 6 77C35F7E 4 Bytes [A8, 30, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtQueryAttributesFile + B 77C35F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtQueryFullAttributesFile + B 77C36033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtSetInformationFile + 6 77C3667E 4 Bytes [28, 31, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtSetInformationFile + B 77C36683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtSetInformationThread + 6 77C366DE 4 Bytes [28, 32, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtSetInformationThread + B 77C366E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtUnmapViewOfSection + 6 77C369FE 4 Bytes [68, 33, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!NtUnmapViewOfSection + B 77C36A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1232] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1348] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1348] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1348] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1348] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1348] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1348] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1348] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1348] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1348] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1348] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1348] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1348] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe[1388] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe[1388] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe[1388] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe[1388] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe[1388] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe[1388] KERNEL32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe[1388] KERNEL32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe[1388] KERNEL32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe[1388] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe[1388] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe[1388] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe[1388] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe[1388] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe[1388] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe[1388] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe[1388] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\Bin\IpOverUsbSvc.exe[1388] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\Hpservice.exe[1456] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Hpservice.exe[1456] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\Hpservice.exe[1456] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Hpservice.exe[1456] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\Hpservice.exe[1456] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\Hpservice.exe[1456] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\Hpservice.exe[1456] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\Hpservice.exe[1456] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\Hpservice.exe[1456] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\Hpservice.exe[1456] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\Hpservice.exe[1456] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\Hpservice.exe[1456] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\Hpservice.exe[1456] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\Hpservice.exe[1456] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\Hpservice.exe[1456] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\Hpservice.exe[1456] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\Hpservice.exe[1456] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtCreateFile + 6 77C3560E 4 Bytes [28, F0, 90, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtCreateFile + B 77C35613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtMapViewOfSection + 6 77C35C6E 4 Bytes [28, F3, 90, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtMapViewOfSection + B 77C35C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtOpenFile + 6 77C35D1E 4 Bytes [68, F0, 90, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtOpenFile + B 77C35D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtOpenProcess + 6 77C35DCE 4 Bytes [A8, F1, 90, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtOpenProcess + B 77C35DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtOpenProcessToken + B 77C35DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtOpenProcessTokenEx + 6 77C35DEE 4 Bytes [A8, F2, 90, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtOpenProcessTokenEx + B 77C35DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtOpenThread + 6 77C35E4E 4 Bytes [68, F1, 90, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtOpenThread + B 77C35E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtOpenThreadToken + 6 77C35E5E 4 Bytes [68, F2, 90, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtOpenThreadToken + B 77C35E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtOpenThreadTokenEx + B 77C35E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtQueryAttributesFile + 6 77C35F7E 4 Bytes [A8, F0, 90, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtQueryAttributesFile + B 77C35F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtQueryFullAttributesFile + B 77C36033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtSetInformationFile + 6 77C3667E 4 Bytes [28, F1, 90, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtSetInformationFile + B 77C36683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtSetInformationThread + 6 77C366DE 4 Bytes [28, F2, 90, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtSetInformationThread + B 77C366E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtUnmapViewOfSection + 6 77C369FE 4 Bytes [68, F3, 90, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!NtUnmapViewOfSection + B 77C36A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1464] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text c:\Windows\system32\vfsFPService.exe[1524] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text c:\Windows\system32\vfsFPService.exe[1524] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text c:\Windows\system32\vfsFPService.exe[1524] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text c:\Windows\system32\vfsFPService.exe[1524] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text c:\Windows\system32\vfsFPService.exe[1524] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text c:\Windows\system32\vfsFPService.exe[1524] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text c:\Windows\system32\vfsFPService.exe[1524] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text c:\Windows\system32\vfsFPService.exe[1524] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text c:\Windows\system32\vfsFPService.exe[1524] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text c:\Windows\system32\vfsFPService.exe[1524] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text c:\Windows\system32\vfsFPService.exe[1524] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text c:\Windows\system32\vfsFPService.exe[1524] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text c:\Windows\system32\vfsFPService.exe[1524] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text c:\Windows\system32\vfsFPService.exe[1524] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text c:\Windows\system32\vfsFPService.exe[1524] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text c:\Windows\system32\vfsFPService.exe[1524] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text c:\Windows\system32\vfsFPService.exe[1524] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\rundll32.exe[1544] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\rundll32.exe[1544] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\rundll32.exe[1544] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\rundll32.exe[1544] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\rundll32.exe[1544] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\rundll32.exe[1544] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\rundll32.exe[1544] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\rundll32.exe[1544] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\rundll32.exe[1544] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Windows\system32\rundll32.exe[1544] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Windows\system32\rundll32.exe[1544] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\rundll32.exe[1544] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\rundll32.exe[1544] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\rundll32.exe[1544] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\rundll32.exe[1544] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\rundll32.exe[1544] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\rundll32.exe[1544] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\WLANExt.exe[1772] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WLANExt.exe[1772] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\WLANExt.exe[1772] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WLANExt.exe[1772] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\WLANExt.exe[1772] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\WLANExt.exe[1772] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\WLANExt.exe[1772] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\WLANExt.exe[1772] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\WLANExt.exe[1772] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\WLANExt.exe[1772] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\WLANExt.exe[1772] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\WLANExt.exe[1772] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\WLANExt.exe[1772] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\WLANExt.exe[1772] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\WLANExt.exe[1772] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\WLANExt.exe[1772] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\WLANExt.exe[1772] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\conhost.exe[1784] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[1784] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\conhost.exe[1784] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[1784] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\conhost.exe[1784] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\conhost.exe[1784] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\conhost.exe[1784] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\conhost.exe[1784] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\conhost.exe[1784] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\conhost.exe[1784] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\conhost.exe[1784] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\conhost.exe[1784] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\conhost.exe[1784] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\conhost.exe[1784] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\conhost.exe[1784] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\conhost.exe[1784] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\conhost.exe[1784] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\System32\spoolsv.exe[1820] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1820] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\spoolsv.exe[1820] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1820] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\System32\spoolsv.exe[1820] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\spoolsv.exe[1820] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\System32\spoolsv.exe[1820] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\System32\spoolsv.exe[1820] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\spoolsv.exe[1820] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\System32\spoolsv.exe[1820] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\System32\spoolsv.exe[1820] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\spoolsv.exe[1820] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\spoolsv.exe[1820] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\spoolsv.exe[1820] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\spoolsv.exe[1820] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\System32\spoolsv.exe[1820] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\System32\spoolsv.exe[1820] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1872] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1872] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1872] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1872] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1872] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1872] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1872] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1872] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1872] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1872] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1872] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1872] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1872] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1872] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1872] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1872] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1872] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1976] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1976] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1976] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1976] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1976] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1976] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1976] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1976] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1976] RPCRT4.dll!RpcServerRegisterIfEx 774C0898 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1976] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1976] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1976] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1976] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1976] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1976] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1976] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1976] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1976] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[2344] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[2344] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[2344] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[2344] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[2344] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[2344] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[2344] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[2344] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[2344] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[2344] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[2344] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[2344] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[2344] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[2344] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[2344] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[2344] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[2344] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[2388] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[2388] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[2388] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[2388] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[2388] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[2388] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[2388] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[2388] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[2388] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[2388] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[2388] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[2388] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[2388] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[2388] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[2388] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[2388] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[2388] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[2516] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2516] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[2516] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2516] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2516] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[2516] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[2516] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[2516] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[2516] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[2516] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[2516] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[2516] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[2516] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[2516] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[2516] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[2516] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[2516] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] kernel32.dll!SetUnhandledExceptionFilter 7619F5AB 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text D:\Riot Games\League of Legends\RADS\projects\lol_launcher\releases\0.0.0.215\deploy\LoLLauncher.exe[2540] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtCreateFile + 6 77C3560E 4 Bytes [28, 5C, 58, 00] {SUB [EAX+EBX*2+0x0], BL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtCreateFile + B 77C35613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtMapViewOfSection + 6 77C35C6E 4 Bytes [28, 5F, 58, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtMapViewOfSection + B 77C35C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtOpenFile + 6 77C35D1E 4 Bytes [68, 5C, 58, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtOpenFile + B 77C35D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtOpenProcess + 6 77C35DCE 4 Bytes [A8, 5D, 58, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtOpenProcess + B 77C35DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtOpenProcessToken + B 77C35DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtOpenProcessTokenEx + 6 77C35DEE 4 Bytes [A8, 5E, 58, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtOpenProcessTokenEx + B 77C35DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtOpenThread + 6 77C35E4E 4 Bytes [68, 5D, 58, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtOpenThread + B 77C35E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtOpenThreadToken + 6 77C35E5E 4 Bytes [68, 5E, 58, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtOpenThreadToken + B 77C35E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtOpenThreadTokenEx + B 77C35E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtQueryAttributesFile + 6 77C35F7E 4 Bytes [A8, 5C, 58, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtQueryAttributesFile + B 77C35F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtQueryFullAttributesFile + B 77C36033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtSetInformationFile + 6 77C3667E 4 Bytes [28, 5D, 58, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtSetInformationFile + B 77C36683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtSetInformationThread + 6 77C366DE 4 Bytes [28, 5E, 58, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtSetInformationThread + B 77C366E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtUnmapViewOfSection + 6 77C369FE 4 Bytes [68, 5F, 58, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!NtUnmapViewOfSection + B 77C36A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2580] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\Connectify\ConnectifyService.exe[2592] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Connectify\ConnectifyService.exe[2592] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Connectify\ConnectifyService.exe[2592] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Connectify\ConnectifyService.exe[2592] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Connectify\ConnectifyService.exe[2592] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Connectify\ConnectifyService.exe[2592] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Connectify\ConnectifyService.exe[2592] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Connectify\ConnectifyService.exe[2592] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Connectify\ConnectifyService.exe[2592] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Connectify\ConnectifyService.exe[2592] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Connectify\ConnectifyService.exe[2592] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Connectify\ConnectifyService.exe[2592] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Connectify\ConnectifyService.exe[2592] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Connectify\ConnectifyService.exe[2592] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\Connectify\ConnectifyService.exe[2592] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Program Files\Connectify\ConnectifyService.exe[2592] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Program Files\Connectify\ConnectifyService.exe[2592] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Program Files\Connectify\ConnectifyD.exe[2668] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Connectify\ConnectifyD.exe[2668] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Connectify\ConnectifyD.exe[2668] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Connectify\ConnectifyD.exe[2668] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Connectify\ConnectifyD.exe[2668] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Connectify\ConnectifyD.exe[2668] KERNEL32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Connectify\ConnectifyD.exe[2668] KERNEL32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Connectify\ConnectifyD.exe[2668] KERNEL32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Connectify\ConnectifyD.exe[2668] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Program Files\Connectify\ConnectifyD.exe[2668] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Program Files\Connectify\ConnectifyD.exe[2668] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Program Files\Connectify\ConnectifyD.exe[2668] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Connectify\ConnectifyD.exe[2668] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Connectify\ConnectifyD.exe[2668] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Connectify\ConnectifyD.exe[2668] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\Connectify\ConnectifyD.exe[2668] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Connectify\ConnectifyD.exe[2668] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\conhost.exe[2676] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[2676] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\conhost.exe[2676] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[2676] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\conhost.exe[2676] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\conhost.exe[2676] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\conhost.exe[2676] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\conhost.exe[2676] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\conhost.exe[2676] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\conhost.exe[2676] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\conhost.exe[2676] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\conhost.exe[2676] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\conhost.exe[2676] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\conhost.exe[2676] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\conhost.exe[2676] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\conhost.exe[2676] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\conhost.exe[2676] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtCreateFile + 6 77C3560E 4 Bytes [28, 98, E1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtCreateFile + B 77C35613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtMapViewOfSection + 6 77C35C6E 4 Bytes [28, 9B, E1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtMapViewOfSection + B 77C35C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtOpenFile + 6 77C35D1E 4 Bytes [68, 98, E1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtOpenFile + B 77C35D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtOpenProcess + 6 77C35DCE 4 Bytes [A8, 99, E1, 00] {TEST AL, 0x99; LOOPZ 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtOpenProcess + B 77C35DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtOpenProcessToken + B 77C35DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtOpenProcessTokenEx + 6 77C35DEE 4 Bytes [A8, 9A, E1, 00] {TEST AL, 0x9a; LOOPZ 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtOpenProcessTokenEx + B 77C35DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtOpenThread + 6 77C35E4E 4 Bytes [68, 99, E1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtOpenThread + B 77C35E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtOpenThreadToken + 6 77C35E5E 4 Bytes [68, 9A, E1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtOpenThreadToken + B 77C35E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtOpenThreadTokenEx + B 77C35E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtQueryAttributesFile + 6 77C35F7E 4 Bytes [A8, 98, E1, 00] {TEST AL, 0x98; LOOPZ 0x4} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtQueryAttributesFile + B 77C35F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtQueryFullAttributesFile + B 77C36033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtSetInformationFile + 6 77C3667E 4 Bytes [28, 99, E1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtSetInformationFile + B 77C36683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtSetInformationThread + 6 77C366DE 4 Bytes [28, 9A, E1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtSetInformationThread + B 77C366E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtUnmapViewOfSection + 6 77C369FE 4 Bytes [68, 9B, E1, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!NtUnmapViewOfSection + B 77C36A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2988] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[3016] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[3016] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[3016] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[3016] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[3016] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[3016] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[3016] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[3016] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[3016] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[3016] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtCreateFile + 6 77C3560E 2 Bytes [28, CC] {SUB AH, CL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtCreateFile + 9 77C35611 1 Byte [00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtCreateFile + 9 77C35611 3 Bytes [00, FF, E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtMapViewOfSection + 6 77C35C6E 2 Bytes [28, CF] {SUB BH, CL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtMapViewOfSection + 9 77C35C71 1 Byte [00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtMapViewOfSection + 9 77C35C71 3 Bytes [00, FF, E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenFile + 6 77C35D1E 2 Bytes [68, CC] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenFile + 9 77C35D21 1 Byte [00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenFile + 9 77C35D21 3 Bytes [00, FF, E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenProcess + 6 77C35DCE 2 Bytes [A8, CD] {TEST AL, 0xcd} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenProcess + 9 77C35DD1 1 Byte [00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenProcess + 9 77C35DD1 3 Bytes [00, FF, E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenProcessToken + 9 77C35DE1 1 Byte [00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenProcessToken + 9 77C35DE1 3 Bytes [00, FF, E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenProcessTokenEx + 6 77C35DEE 2 Bytes [A8, CE] {TEST AL, 0xce} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenProcessTokenEx + 9 77C35DF1 1 Byte [00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenProcessTokenEx + 9 77C35DF1 3 Bytes [00, FF, E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenThread + 6 77C35E4E 2 Bytes [68, CD] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenThread + 9 77C35E51 1 Byte [00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenThread + 9 77C35E51 3 Bytes [00, FF, E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenThreadToken + 6 77C35E5E 2 Bytes [68, CE] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenThreadToken + 9 77C35E61 1 Byte [00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenThreadToken + 9 77C35E61 3 Bytes [00, FF, E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenThreadTokenEx + 9 77C35E71 1 Byte [00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtOpenThreadTokenEx + 9 77C35E71 3 Bytes [00, FF, E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtQueryAttributesFile + 6 77C35F7E 2 Bytes [A8, CC] {TEST AL, 0xcc} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtQueryAttributesFile + 9 77C35F81 1 Byte [00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtQueryAttributesFile + 9 77C35F81 3 Bytes [00, FF, E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtQueryFullAttributesFile + 9 77C36031 1 Byte [00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtQueryFullAttributesFile + 9 77C36031 3 Bytes [00, FF, E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtSetInformationFile + 6 77C3667E 2 Bytes [28, CD] {SUB CH, CL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtSetInformationFile + 9 77C36681 1 Byte [00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtSetInformationFile + 9 77C36681 3 Bytes [00, FF, E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtSetInformationThread + 6 77C366DE 2 Bytes [28, CE] {SUB DH, CL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtSetInformationThread + 9 77C366E1 1 Byte [00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtSetInformationThread + 9 77C366E1 3 Bytes [00, FF, E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtUnmapViewOfSection + 6 77C369FE 2 Bytes [68, CF] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtUnmapViewOfSection + 9 77C36A01 1 Byte [00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!NtUnmapViewOfSection + 9 77C36A01 3 Bytes [00, FF, E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3128] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\System32\alg.exe[3272] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\alg.exe[3272] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\alg.exe[3272] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\alg.exe[3272] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\System32\alg.exe[3272] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\alg.exe[3272] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\System32\alg.exe[3272] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\System32\alg.exe[3272] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\alg.exe[3272] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\System32\alg.exe[3272] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\System32\alg.exe[3272] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\System32\alg.exe[3272] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\System32\alg.exe[3272] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\alg.exe[3272] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\alg.exe[3272] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\alg.exe[3272] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\alg.exe[3272] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[3424] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3424] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[3424] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3424] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[3424] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[3424] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[3424] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[3424] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[3424] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[3424] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[3424] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[3424] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[3424] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[3424] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[3424] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[3424] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[3424] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtCreateFile + 6 77C3560E 4 Bytes [28, 30, 29, 00] {SUB [EAX], DH; SUB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtCreateFile + B 77C35613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtMapViewOfSection + 6 77C35C6E 4 Bytes [28, 33, 29, 00] {SUB [EBX], DH; SUB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtMapViewOfSection + B 77C35C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtOpenFile + 6 77C35D1E 4 Bytes [68, 30, 29, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtOpenFile + B 77C35D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtOpenProcess + 6 77C35DCE 4 Bytes [A8, 31, 29, 00] {TEST AL, 0x31; SUB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtOpenProcess + B 77C35DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtOpenProcessToken + B 77C35DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtOpenProcessTokenEx + 6 77C35DEE 4 Bytes [A8, 32, 29, 00] {TEST AL, 0x32; SUB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtOpenProcessTokenEx + B 77C35DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtOpenThread + 6 77C35E4E 4 Bytes [68, 31, 29, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtOpenThread + B 77C35E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtOpenThreadToken + 6 77C35E5E 4 Bytes [68, 32, 29, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtOpenThreadToken + B 77C35E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtOpenThreadTokenEx + B 77C35E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtQueryAttributesFile + 6 77C35F7E 4 Bytes [A8, 30, 29, 00] {TEST AL, 0x30; SUB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtQueryAttributesFile + B 77C35F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtQueryFullAttributesFile + B 77C36033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtSetInformationFile + 6 77C3667E 4 Bytes [28, 31, 29, 00] {SUB [ECX], DH; SUB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtSetInformationFile + B 77C36683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtSetInformationThread + 6 77C366DE 4 Bytes [28, 32, 29, 00] {SUB [EDX], DH; SUB [EAX], EAX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtSetInformationThread + B 77C366E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtUnmapViewOfSection + 6 77C369FE 4 Bytes [68, 33, 29, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!NtUnmapViewOfSection + B 77C36A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3472] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\taskeng.exe[3672] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[3672] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskeng.exe[3672] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[3672] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\taskeng.exe[3672] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskeng.exe[3672] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\taskeng.exe[3672] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\taskeng.exe[3672] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\taskeng.exe[3672] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\taskeng.exe[3672] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\taskeng.exe[3672] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\taskeng.exe[3672] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\taskeng.exe[3672] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\taskeng.exe[3672] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\taskeng.exe[3672] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\taskeng.exe[3672] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\taskeng.exe[3672] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\Dwm.exe[3692] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3692] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\Dwm.exe[3692] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3692] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\Dwm.exe[3692] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\Dwm.exe[3692] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\Dwm.exe[3692] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\Dwm.exe[3692] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\Dwm.exe[3692] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\Dwm.exe[3692] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\Dwm.exe[3692] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\Dwm.exe[3692] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\Dwm.exe[3692] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\Dwm.exe[3692] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\Dwm.exe[3692] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\Dwm.exe[3692] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\Dwm.exe[3692] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Realtek\RtkDashClientInstaller\RtkDashClient.exe[3724] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\RtkDashClientInstaller\RtkDashClient.exe[3724] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Realtek\RtkDashClientInstaller\RtkDashClient.exe[3724] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\RtkDashClientInstaller\RtkDashClient.exe[3724] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Realtek\RtkDashClientInstaller\RtkDashClient.exe[3724] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Realtek\RtkDashClientInstaller\RtkDashClient.exe[3724] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Realtek\RtkDashClientInstaller\RtkDashClient.exe[3724] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Realtek\RtkDashClientInstaller\RtkDashClient.exe[3724] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Realtek\RtkDashClientInstaller\RtkDashClient.exe[3724] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Realtek\RtkDashClientInstaller\RtkDashClient.exe[3724] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Realtek\RtkDashClientInstaller\RtkDashClient.exe[3724] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Realtek\RtkDashClientInstaller\RtkDashClient.exe[3724] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\Realtek\RtkDashClientInstaller\RtkDashClient.exe[3724] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Program Files\Realtek\RtkDashClientInstaller\RtkDashClient.exe[3724] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Program Files\Realtek\RtkDashClientInstaller\RtkDashClient.exe[3724] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Program Files\Realtek\RtkDashClientInstaller\RtkDashClient.exe[3724] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Realtek\RtkDashClientInstaller\RtkDashClient.exe[3724] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[3732] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[3732] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\Explorer.EXE[3732] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[3732] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\Explorer.EXE[3732] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\Explorer.EXE[3732] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\Explorer.EXE[3732] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\Explorer.EXE[3732] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\Explorer.EXE[3732] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\Explorer.EXE[3732] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[3732] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\Explorer.EXE[3732] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\Explorer.EXE[3732] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\Explorer.EXE[3732] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\Explorer.EXE[3732] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Windows\Explorer.EXE[3732] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Windows\Explorer.EXE[3732] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Program Files\Hewlett-Packard\Media\Webcam\YCMMirage.exe[3792] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hewlett-Packard\Media\Webcam\YCMMirage.exe[3792] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Hewlett-Packard\Media\Webcam\YCMMirage.exe[3792] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hewlett-Packard\Media\Webcam\YCMMirage.exe[3792] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Hewlett-Packard\Media\Webcam\YCMMirage.exe[3792] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Hewlett-Packard\Media\Webcam\YCMMirage.exe[3792] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Hewlett-Packard\Media\Webcam\YCMMirage.exe[3792] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Hewlett-Packard\Media\Webcam\YCMMirage.exe[3792] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Hewlett-Packard\Media\Webcam\YCMMirage.exe[3792] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Hewlett-Packard\Media\Webcam\YCMMirage.exe[3792] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Hewlett-Packard\Media\Webcam\YCMMirage.exe[3792] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Hewlett-Packard\Media\Webcam\YCMMirage.exe[3792] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\Hewlett-Packard\Media\Webcam\YCMMirage.exe[3792] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Program Files\Hewlett-Packard\Media\Webcam\YCMMirage.exe[3792] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Program Files\Hewlett-Packard\Media\Webcam\YCMMirage.exe[3792] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Program Files\Hewlett-Packard\Media\Webcam\YCMMirage.exe[3792] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Hewlett-Packard\Media\Webcam\YCMMirage.exe[3792] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\taskeng.exe[3820] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[3820] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskeng.exe[3820] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[3820] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\taskeng.exe[3820] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskeng.exe[3820] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\taskeng.exe[3820] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\taskeng.exe[3820] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\taskeng.exe[3820] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\taskeng.exe[3820] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\taskeng.exe[3820] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\taskeng.exe[3820] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\taskeng.exe[3820] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\taskeng.exe[3820] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\taskeng.exe[3820] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\taskeng.exe[3820] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\taskeng.exe[3820] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\taskhost.exe[3832] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3832] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskhost.exe[3832] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3832] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\taskhost.exe[3832] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskhost.exe[3832] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\taskhost.exe[3832] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\taskhost.exe[3832] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\taskhost.exe[3832] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\taskhost.exe[3832] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\taskhost.exe[3832] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\taskhost.exe[3832] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\system32\taskhost.exe[3832] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\taskhost.exe[3832] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\taskhost.exe[3832] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\taskhost.exe[3832] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\taskhost.exe[3832] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4080] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 012C11F0 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4080] ntdll.dll!NtCreateFile 77C35608 5 Bytes JMP 012C1000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\DigitalPersona\Bin\DpAgent.exe[4252] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\DigitalPersona\Bin\DpAgent.exe[4252] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\DigitalPersona\Bin\DpAgent.exe[4252] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\DigitalPersona\Bin\DpAgent.exe[4252] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\DigitalPersona\Bin\DpAgent.exe[4252] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\DigitalPersona\Bin\DpAgent.exe[4252] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\DigitalPersona\Bin\DpAgent.exe[4252] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\DigitalPersona\Bin\DpAgent.exe[4252] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\DigitalPersona\Bin\DpAgent.exe[4252] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Program Files\DigitalPersona\Bin\DpAgent.exe[4252] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Program Files\DigitalPersona\Bin\DpAgent.exe[4252] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Program Files\DigitalPersona\Bin\DpAgent.exe[4252] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\DigitalPersona\Bin\DpAgent.exe[4252] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\DigitalPersona\Bin\DpAgent.exe[4252] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\DigitalPersona\Bin\DpAgent.exe[4252] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\DigitalPersona\Bin\DpAgent.exe[4252] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\DigitalPersona\Bin\DpAgent.exe[4252] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtCreateFile + 6 77C3560E 4 Bytes [28, 74, 2C, 00] {SUB [ESP+EBP+0x0], DH} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtCreateFile + B 77C35613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtMapViewOfSection + 6 77C35C6E 4 Bytes [28, 77, 2C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtMapViewOfSection + B 77C35C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtOpenFile + 6 77C35D1E 4 Bytes [68, 74, 2C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtOpenFile + B 77C35D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtOpenProcess + 6 77C35DCE 4 Bytes [A8, 75, 2C, 00] {TEST AL, 0x75; SUB AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtOpenProcess + B 77C35DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtOpenProcessToken + B 77C35DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtOpenProcessTokenEx + 6 77C35DEE 4 Bytes [A8, 76, 2C, 00] {TEST AL, 0x76; SUB AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtOpenProcessTokenEx + B 77C35DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtOpenThread + 6 77C35E4E 4 Bytes [68, 75, 2C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtOpenThread + B 77C35E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtOpenThreadToken + 6 77C35E5E 4 Bytes [68, 76, 2C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtOpenThreadToken + B 77C35E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtOpenThreadTokenEx + B 77C35E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtQueryAttributesFile + 6 77C35F7E 4 Bytes [A8, 74, 2C, 00] {TEST AL, 0x74; SUB AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtQueryAttributesFile + B 77C35F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtQueryFullAttributesFile + B 77C36033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtSetInformationFile + 6 77C3667E 4 Bytes [28, 75, 2C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtSetInformationFile + B 77C36683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtSetInformationThread + 6 77C366DE 4 Bytes [28, 76, 2C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtSetInformationThread + B 77C366E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtUnmapViewOfSection + 6 77C369FE 4 Bytes [68, 77, 2C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!NtUnmapViewOfSection + B 77C36A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4332] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[4404] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[4404] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[4404] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[4404] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[4404] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[4404] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[4404] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[4404] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[4404] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[4404] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[4404] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[4404] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[4404] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[4404] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[4404] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[4404] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[4404] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text D:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[4480] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text D:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[4480] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text D:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[4480] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text D:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[4480] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text D:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[4480] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text D:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[4480] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text D:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[4480] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text D:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[4480] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text D:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[4480] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text D:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[4480] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text D:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[4480] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text D:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[4480] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text D:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[4480] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text D:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[4480] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text D:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[4480] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text D:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[4480] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text D:\Riot Games\League of Legends\RADS\system\rads_user_kernel.exe[4480] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4600] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4600] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4600] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4600] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4600] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4600] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4600] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4600] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4600] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4600] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4600] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4600] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4600] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4600] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4600] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4600] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4600] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\AUDIODG.EXE[4672] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[4672] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\AUDIODG.EXE[4672] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[4672] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\AUDIODG.EXE[4672] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\AUDIODG.EXE[4672] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719E001E .text C:\Windows\system32\AUDIODG.EXE[4672] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719B001E .text C:\Windows\system32\AUDIODG.EXE[4672] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\AUDIODG.EXE[4672] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7180001E .text C:\Windows\system32\AUDIODG.EXE[4672] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\AUDIODG.EXE[4672] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\AUDIODG.EXE[4672] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\AUDIODG.EXE[4672] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\AUDIODG.EXE[4672] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\AUDIODG.EXE[4672] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718C001E .text C:\Windows\system32\AUDIODG.EXE[4672] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7198001E .text C:\Windows\system32\AUDIODG.EXE[4672] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7195001E .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4824] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4824] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4824] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4824] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4824] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4824] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4824] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4824] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4824] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4824] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4824] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4824] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4824] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4824] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4824] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4824] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4824] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchIndexer.exe[4876] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[4876] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\SearchIndexer.exe[4876] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[4876] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\system32\SearchIndexer.exe[4876] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchIndexer.exe[4876] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\system32\SearchIndexer.exe[4876] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchIndexer.exe[4876] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchIndexer.exe[4876] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\system32\SearchIndexer.exe[4876] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchIndexer.exe[4876] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\system32\SearchIndexer.exe[4876] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchIndexer.exe[4876] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\SearchIndexer.exe[4876] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\SearchIndexer.exe[4876] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\SearchIndexer.exe[4876] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\SearchIndexer.exe[4876] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4880] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4880] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4880] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4880] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4880] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4880] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4880] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4880] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4880] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717B000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4880] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 7178000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4880] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 717E000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4880] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7181000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4880] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4880] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4880] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4880] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[4880] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Users\Grucha\Downloads\uhy4ji1z.exe[4952] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Users\Grucha\Downloads\uhy4ji1z.exe[4952] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Users\Grucha\Downloads\uhy4ji1z.exe[4952] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Users\Grucha\Downloads\uhy4ji1z.exe[4952] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Users\Grucha\Downloads\uhy4ji1z.exe[4952] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Users\Grucha\Downloads\uhy4ji1z.exe[4952] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Users\Grucha\Downloads\uhy4ji1z.exe[4952] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Users\Grucha\Downloads\uhy4ji1z.exe[4952] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Users\Grucha\Downloads\uhy4ji1z.exe[4952] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Users\Grucha\Downloads\uhy4ji1z.exe[4952] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Users\Grucha\Downloads\uhy4ji1z.exe[4952] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Users\Grucha\Downloads\uhy4ji1z.exe[4952] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Users\Grucha\Downloads\uhy4ji1z.exe[4952] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Users\Grucha\Downloads\uhy4ji1z.exe[4952] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Users\Grucha\Downloads\uhy4ji1z.exe[4952] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Users\Grucha\Downloads\uhy4ji1z.exe[4952] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Users\Grucha\Downloads\uhy4ji1z.exe[4952] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[5040] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 00F04FE0 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text C:\Program Files\Google\Chrome\Application\chrome.exe[5060] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5060] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5060] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5060] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5060] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5060] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5060] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5060] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5060] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5060] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5060] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5060] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5060] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5060] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5060] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5060] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5060] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Users\Grucha\Downloads\OTL.exe[5220] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Users\Grucha\Downloads\OTL.exe[5220] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Users\Grucha\Downloads\OTL.exe[5220] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Users\Grucha\Downloads\OTL.exe[5220] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Users\Grucha\Downloads\OTL.exe[5220] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Users\Grucha\Downloads\OTL.exe[5220] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Users\Grucha\Downloads\OTL.exe[5220] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Users\Grucha\Downloads\OTL.exe[5220] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Users\Grucha\Downloads\OTL.exe[5220] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Users\Grucha\Downloads\OTL.exe[5220] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Users\Grucha\Downloads\OTL.exe[5220] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Users\Grucha\Downloads\OTL.exe[5220] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Users\Grucha\Downloads\OTL.exe[5220] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Users\Grucha\Downloads\OTL.exe[5220] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Users\Grucha\Downloads\OTL.exe[5220] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Users\Grucha\Downloads\OTL.exe[5220] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Users\Grucha\Downloads\OTL.exe[5220] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtCreateFile + 6 77C3560E 4 Bytes [28, 70, 23, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtCreateFile + B 77C35613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtMapViewOfSection + 6 77C35C6E 4 Bytes [28, 73, 23, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtMapViewOfSection + B 77C35C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtOpenFile + 6 77C35D1E 4 Bytes [68, 70, 23, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtOpenFile + B 77C35D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtOpenProcess + 6 77C35DCE 4 Bytes [A8, 71, 23, 00] {TEST AL, 0x71; AND EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtOpenProcess + B 77C35DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtOpenProcessToken + B 77C35DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtOpenProcessTokenEx + 6 77C35DEE 4 Bytes [A8, 72, 23, 00] {TEST AL, 0x72; AND EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtOpenProcessTokenEx + B 77C35DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtOpenThread + 6 77C35E4E 4 Bytes [68, 71, 23, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtOpenThread + B 77C35E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtOpenThreadToken + 6 77C35E5E 4 Bytes [68, 72, 23, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtOpenThreadToken + B 77C35E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtOpenThreadTokenEx + B 77C35E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtQueryAttributesFile + 6 77C35F7E 4 Bytes [A8, 70, 23, 00] {TEST AL, 0x70; AND EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtQueryAttributesFile + B 77C35F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtQueryFullAttributesFile + B 77C36033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtSetInformationFile + 6 77C3667E 4 Bytes [28, 71, 23, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtSetInformationFile + B 77C36683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtSetInformationThread + 6 77C366DE 4 Bytes [28, 72, 23, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtSetInformationThread + B 77C366E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtUnmapViewOfSection + 6 77C369FE 4 Bytes [68, 73, 23, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!NtUnmapViewOfSection + B 77C36A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5348] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtCreateFile + 6 77C3560E 4 Bytes [28, E4, B3, 00] {SUB AH, AH; MOV BL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtCreateFile + B 77C35613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtMapViewOfSection + 6 77C35C6E 4 Bytes [28, E7, B3, 00] {SUB BH, AH; MOV BL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtMapViewOfSection + B 77C35C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtOpenFile + 6 77C35D1E 4 Bytes [68, E4, B3, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtOpenFile + B 77C35D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtOpenProcess + 6 77C35DCE 4 Bytes [A8, E5, B3, 00] {TEST AL, 0xe5; MOV BL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtOpenProcess + B 77C35DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtOpenProcessToken + B 77C35DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtOpenProcessTokenEx + 6 77C35DEE 4 Bytes [A8, E6, B3, 00] {TEST AL, 0xe6; MOV BL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtOpenProcessTokenEx + B 77C35DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtOpenThread + 6 77C35E4E 4 Bytes [68, E5, B3, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtOpenThread + B 77C35E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtOpenThreadToken + 6 77C35E5E 4 Bytes [68, E6, B3, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtOpenThreadToken + B 77C35E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtOpenThreadTokenEx + B 77C35E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtQueryAttributesFile + 6 77C35F7E 4 Bytes [A8, E4, B3, 00] {TEST AL, 0xe4; MOV BL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtQueryAttributesFile + B 77C35F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtQueryFullAttributesFile + B 77C36033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtSetInformationFile + 6 77C3667E 4 Bytes [28, E5, B3, 00] {SUB CH, AH; MOV BL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtSetInformationFile + B 77C36683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtSetInformationThread + 6 77C366DE 4 Bytes [28, E6, B3, 00] {SUB DH, AH; MOV BL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtSetInformationThread + B 77C366E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtUnmapViewOfSection + 6 77C369FE 4 Bytes [68, E7, B3, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!NtUnmapViewOfSection + B 77C36A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5424] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.104\deploy\LolClient.exe[5520] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.104\deploy\LolClient.exe[5520] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.104\deploy\LolClient.exe[5520] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.104\deploy\LolClient.exe[5520] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.104\deploy\LolClient.exe[5520] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.104\deploy\LolClient.exe[5520] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.104\deploy\LolClient.exe[5520] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.104\deploy\LolClient.exe[5520] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.104\deploy\LolClient.exe[5520] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.104\deploy\LolClient.exe[5520] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.104\deploy\LolClient.exe[5520] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.104\deploy\LolClient.exe[5520] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.104\deploy\LolClient.exe[5520] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.104\deploy\LolClient.exe[5520] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.104\deploy\LolClient.exe[5520] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.104\deploy\LolClient.exe[5520] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text D:\Riot Games\League of Legends\RADS\projects\lol_air_client\releases\0.0.1.104\deploy\LolClient.exe[5520] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtCreateFile + 6 77C3560E 4 Bytes [28, 44, E9, 00] {SUB [ECX+EBP*8+0x0], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtCreateFile + B 77C35613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtMapViewOfSection + 6 77C35C6E 4 Bytes [28, 47, E9, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtMapViewOfSection + B 77C35C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtOpenFile + 6 77C35D1E 4 Bytes [68, 44, E9, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtOpenFile + B 77C35D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtOpenProcess + 6 77C35DCE 4 Bytes [A8, 45, E9, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtOpenProcess + B 77C35DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtOpenProcessToken + B 77C35DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtOpenProcessTokenEx + 6 77C35DEE 4 Bytes [A8, 46, E9, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtOpenProcessTokenEx + B 77C35DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtOpenThread + 6 77C35E4E 4 Bytes [68, 45, E9, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtOpenThread + B 77C35E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtOpenThreadToken + 6 77C35E5E 4 Bytes [68, 46, E9, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtOpenThreadToken + B 77C35E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtOpenThreadTokenEx + B 77C35E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtQueryAttributesFile + 6 77C35F7E 4 Bytes [A8, 44, E9, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtQueryAttributesFile + B 77C35F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtQueryFullAttributesFile + B 77C36033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtSetInformationFile + 6 77C3667E 4 Bytes [28, 45, E9, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtSetInformationFile + B 77C36683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtSetInformationThread + 6 77C366DE 4 Bytes [28, 46, E9, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtSetInformationThread + B 77C366E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtUnmapViewOfSection + 6 77C369FE 4 Bytes [68, 47, E9, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!NtUnmapViewOfSection + B 77C36A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5576] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[5620] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[5620] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[5620] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[5620] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[5620] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[5620] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[5620] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[5620] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[5620] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[5620] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[5620] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[5620] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[5620] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[5620] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[5620] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[5620] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[5620] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5632] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtCreateFile + 6 77C3560E 4 Bytes [28, 90, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtCreateFile + B 77C35613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtMapViewOfSection + 6 77C35C6E 4 Bytes [28, 93, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtMapViewOfSection + B 77C35C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtOpenFile + 6 77C35D1E 4 Bytes [68, 90, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtOpenFile + B 77C35D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtOpenProcess + 6 77C35DCE 4 Bytes [A8, 91, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtOpenProcess + B 77C35DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtOpenProcessToken + B 77C35DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtOpenProcessTokenEx + 6 77C35DEE 4 Bytes [A8, 92, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtOpenProcessTokenEx + B 77C35DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtOpenThread + 6 77C35E4E 4 Bytes [68, 91, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtOpenThread + B 77C35E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtOpenThreadToken + 6 77C35E5E 4 Bytes [68, 92, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtOpenThreadToken + B 77C35E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtOpenThreadTokenEx + B 77C35E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtQueryAttributesFile + 6 77C35F7E 4 Bytes [A8, 90, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtQueryAttributesFile + B 77C35F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtQueryFullAttributesFile + B 77C36033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtSetInformationFile + 6 77C3667E 4 Bytes [28, 91, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtSetInformationFile + B 77C36683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtSetInformationThread + 6 77C366DE 4 Bytes [28, 92, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtSetInformationThread + B 77C366E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtUnmapViewOfSection + 6 77C369FE 4 Bytes [68, 93, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!NtUnmapViewOfSection + B 77C36A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717B000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5696] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\notepad.exe[5968] ntdll.dll!NtAlpcSendWaitReceivePort 77C35458 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[5968] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77C3545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\notepad.exe[5968] ntdll.dll!NtClose 77C35508 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[5968] ntdll.dll!NtClose + 4 77C3550C 2 Bytes [AE, 71] .text C:\Windows\notepad.exe[5968] ntdll.dll!LdrUnloadDll 77C4C8DE 6 Bytes JMP 71A8000A .text C:\Windows\notepad.exe[5968] kernel32.dll!CreateProcessW 7615204D 6 Bytes JMP 719F000A .text C:\Windows\notepad.exe[5968] kernel32.dll!CreateProcessA 76152082 6 Bytes JMP 719C000A .text C:\Windows\notepad.exe[5968] kernel32.dll!CreateProcessAsUserW 76185ABF 6 Bytes JMP 7193000A .text C:\Windows\notepad.exe[5968] ADVAPI32.dll!CreateProcessAsUserA 764E2642 6 Bytes JMP 7199000A .text C:\Windows\notepad.exe[5968] ADVAPI32.dll!CreateProcessWithLogonW 764E5429 6 Bytes JMP 7196000A .text C:\Windows\notepad.exe[5968] GDI32.dll!DeleteDC 775C6EAA 6 Bytes JMP 7187000A .text C:\Windows\notepad.exe[5968] GDI32.dll!GetPixel 775CC3D5 6 Bytes JMP 718A000A .text C:\Windows\notepad.exe[5968] GDI32.dll!CreateDCA 775CCCA9 6 Bytes JMP 7190000A .text C:\Windows\notepad.exe[5968] GDI32.dll!CreateDCW 775CCF79 6 Bytes JMP 718D000A .text C:\Windows\notepad.exe[5968] USER32.dll!SetWindowsHookExW 773DE30C 6 Bytes JMP 7181000A .text C:\Windows\notepad.exe[5968] USER32.dll!SetWinEventHook 773E24DC 6 Bytes JMP 717E000A .text C:\Windows\notepad.exe[5968] USER32.dll!SetWindowsHookExA 77406D0C 6 Bytes JMP 7184000A ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[3732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [749A249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74985652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74985710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [749A251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7499857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74994D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [749950D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [749951AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [749966DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [749982D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74998824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74999085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7499E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[3732] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74994C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \Driver\BTHUSB \Device\0000009b bthport.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys Device \Driver\BTHUSB \Device\00000099 bthport.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002186d3bcf6 Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002186d3bcf6 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing@SessionIdHigh 30390795 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing@SessionIdLow -311939785 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@NextDetectionTime 2014-08-17 11:10:17 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect@LastSuccessTime 2014-08-16 13:12:28 ---- Files - GMER 2.1 ---- File C:\Users\Grucha\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\896YZRD0\featured[1].json 0 bytes ---- EOF - GMER 2.1 ----