GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-30 19:13:09 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000BPVT-80HXZT3 rev.01.01A01 465,76GB Running: h1dt6t9q.exe; Driver: C:\Users\DG\AppData\Local\Temp\pxldypow.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwAddBootEntry [0x8EE48B42] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAllocateVirtualMemory [0x89DC4464] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAlpcConnectPort [0x89DC2AC2] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAlpcCreatePort [0x89DC2594] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwAlpcSendWaitReceivePort [0x8EE4B31C] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAssignProcessToJobObject [0x89DC395E] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwConnectPort [0x89DC2682] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreateFile [0x89DC93A6] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreatePort [0x89DC24A0] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreateSection [0x89DC04BA] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreateThread [0x89DC1662] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreateThreadEx [0x89DC1796] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwDebugActiveProcess [0x89DC1D54] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwDeleteBootEntry [0x8EE48BAE] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwDeleteFile [0x8EE4927C] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwDeviceIoControlFile [0x8EE4849C] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwDuplicateObject [0x89DC2362] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwFsControlFile [0x8EE4921C] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwImpersonateClientOfPort [0x8EE491E2] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwImpersonateThread [0x8EE491A0] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwLoadDriver [0x89DC3386] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwMapViewOfSection [0x8EE4ACAA] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwModifyBootEntry [0x8EE48B78] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwOpenFile [0x89DC9724] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwOpenProcess [0x8EE4A148] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwOpenSection [0x89DC077C] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwOpenThread [0x89DC18DE] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwProtectVirtualMemory [0x89DC3710] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwQueueApcThread [0x89DC3A7A] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwReplaceKey [0x8EE48CD0] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwRequestPort [0x89DC2CE6] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwRequestWaitReplyPort [0x89DC304E] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwRestoreKey [0x8EE48C1A] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwResumeThread [0x89DC2102] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSecureConnectPort [0x89DC28A4] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwSetBootOptions [0x8EE48BE4] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSetContextThread [0x89DC1BFC] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwSetInformationFile [0x8EE492E0] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSetSystemInformation [0x89DC4118] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwShutdownSystem [0x89DC32C0] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSuspendProcess [0x89DC2234] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSuspendThread [0x89DC1FAC] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSystemDebugControl [0x89DC1E72] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwTerminateProcess [0x89DC14A0] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwTerminateThread [0x89DC1A94] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwUnloadDriver [0x89DC354E] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwWriteVirtualMemory [0x89DC383A] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82E7AA35 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EB4392 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82EBB5B0 4 Bytes [42, 8B, E4, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82EBB5D8 4 Bytes [64, 44, DC, 89] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82EBB5E4 8 Bytes [C2, 2A, DC, 89, 94, 25, DC, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 82EBB628 4 Bytes [1C, B3, E4, 8E] {SBB AL, 0xb3; IN AL, 0x8e} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82EBB638 4 Bytes [5E, 39, DC, 89] .text ... .hgjhgj1˙˙˙˙SpySheltentry point in ".hgjhgj1˙˙˙˙SpySheltentry point in "" section [0x8EEF5162] C:\Program Files\SpyShelter Personal Free\SpyShelter.sys entry point in ".hgjhgj1˙˙˙˙SpySheltentry point in "" section [0x8EEF5162] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x99E0C000, 0x174C8A, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\svchost.exe[360] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[360] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\system32\svchost.exe[360] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[360] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\WLANExt.exe[560] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\WLANExt.exe[560] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\system32\WLANExt.exe[560] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\WLANExt.exe[560] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\conhost.exe[672] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\conhost.exe[672] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\system32\conhost.exe[672] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\conhost.exe[672] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\OAcat.exe[676] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\OAcat.exe[676] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\Online Armor\OAcat.exe[676] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\OAcat.exe[676] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\oasrv.exe[684] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\oasrv.exe[684] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\Online Armor\oasrv.exe[684] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\oasrv.exe[684] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\oasrv.exe[684] user32.dll!LoadStringA 775266A7 6 Bytes JMP 71AF000A .text C:\Program Files\Online Armor\oasrv.exe[684] user32.dll!LoadStringW 7752DFBA 6 Bytes JMP 71A8000A .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[940] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[940] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[940] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[940] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1024] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1024] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\system32\svchost.exe[1024] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1024] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\atiesrxx.exe[1100] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\atiesrxx.exe[1100] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\system32\atiesrxx.exe[1100] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\atiesrxx.exe[1100] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\winlogon.exe[1144] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\winlogon.exe[1144] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\system32\winlogon.exe[1144] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\winlogon.exe[1144] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1192] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1236] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1236] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\System32\svchost.exe[1236] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1236] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1280] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1280] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\system32\svchost.exe[1280] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1280] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1332] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1332] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\system32\svchost.exe[1332] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1332] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtAcceptConnectPort 77C351E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtAcceptConnectPort + 4 77C351EC 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtCreateFile 77C35608 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtCreateFile + 4 77C3560C 2 Bytes [3A, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtCreateSymbolicLinkObject 77C35748 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C3574C 2 Bytes [6D, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtDeleteValueKey 77C35888 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtDeleteValueKey + 4 77C3588C 2 Bytes [40, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtOpenFile 77C35D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtOpenFile + 4 77C35D1C 2 Bytes [37, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtOpenProcess 77C35DC8 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtOpenProcess + 4 77C35DCC 2 Bytes [3D, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtSetContextThread 77C365A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtSetContextThread + 4 77C365AC 2 Bytes [31, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtSetInformationFile 77C36678 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtSetInformationFile + 4 77C3667C 2 Bytes [34, 71] {XOR AL, 0x71} .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtSetValueKey 77C36848 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] ntdll.dll!NtSetValueKey + 4 77C3684C 2 Bytes [43, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] KERNEL32.dll!CreateProcessW 7717204D 6 Bytes JMP 71A4000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] KERNEL32.dll!CreateProcessA 77172082 6 Bytes JMP 71A7000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] KERNEL32.dll!LoadLibraryA 771BDD15 6 Bytes JMP 7174000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] KERNEL32.dll!LoadLibraryW 771BEFF2 6 Bytes JMP 7171000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] KERNEL32.dll!CreateProcessInternalW 771C0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] KERNEL32.dll!CreateProcessInternalW + 4 771C0856 2 Bytes [2E, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] advapi32.dll!CreateServiceW 776170C4 6 Bytes JMP 7189000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] advapi32.dll!CreateServiceA 77633264 6 Bytes JMP 718C000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] advapi32.dll!InitiateSystemShutdownW 7764DC55 6 Bytes JMP 719B000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] advapi32.dll!InitiateSystemShutdownExW 7764DD22 6 Bytes JMP 7195000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] advapi32.dll!InitiateSystemShutdownA 7764DDF7 6 Bytes JMP 719E000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] advapi32.dll!InitiateSystemShutdownExA 7764DE9E 6 Bytes JMP 7198000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] GDI32.dll!DeleteDC 77A56EAA 6 Bytes JMP 717A000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] GDI32.dll!BitBlt 77A572C0 6 Bytes JMP 7177000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] GDI32.dll!CreateDCA 77A5CCA9 6 Bytes JMP 7180000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] GDI32.dll!CreateDCW 77A5CF79 6 Bytes JMP 717D000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] USER32.dll!RegisterHotKey 7752AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] USER32.dll!RegisterHotKey + 4 7752AA1D 2 Bytes [82, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] USER32.dll!SendMessageA 7752AD60 6 Bytes JMP 7152000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] USER32.dll!PostMessageA 7752B446 6 Bytes JMP 714C000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] USER32.dll!PostMessageW 7753447B 6 Bytes JMP 7149000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] USER32.dll!SendMessageW 77535539 6 Bytes JMP 714F000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] USER32.dll!mouse_event 77546209 6 Bytes JMP 715B000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] USER32.dll!SendInput 77557019 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] USER32.dll!SendInput + 4 7755701D 2 Bytes [54, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] USER32.dll!ExitWindowsEx 775706C7 6 Bytes JMP 71A1000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] USER32.dll!keybd_event 7757EC3B 6 Bytes JMP 7158000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] USER32.dll!DdeClientTransaction 7758323C 6 Bytes JMP 7186000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] WS2_32.dll!ioctlsocket 77D73084 6 Bytes JMP 711C000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] WS2_32.dll!sendto 77D734B5 6 Bytes JMP 7122000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] WS2_32.dll!closesocket 77D73918 6 Bytes JMP 712C000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] WS2_32.dll!socket 77D73EB8 6 Bytes JMP 71AE000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] WS2_32.dll!WSASend 77D74406 6 Bytes JMP 710D000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] WS2_32.dll!WSALookupServiceBeginW 77D7575A 6 Bytes JMP 715E000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] WS2_32.dll!select 77D76989 6 Bytes JMP 711F000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] WS2_32.dll!recv 77D76B0E 6 Bytes JMP 7114000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] WS2_32.dll!connect 77D76BDD 6 Bytes JMP 7167000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] WS2_32.dll!send 77D76F01 6 Bytes JMP 7125000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] WS2_32.dll!WSARecv 77D77089 6 Bytes JMP 7110000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] WS2_32.dll!WSAGetOverlappedResult 77D77489 6 Bytes JMP 7107000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] WS2_32.dll!listen 77D7B001 6 Bytes JMP 7161000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] WS2_32.dll!WSAConnect 77D7CC3F 6 Bytes JMP 7164000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] WS2_32.dll!WSAAsyncSelect 77D8B014 6 Bytes JMP 7119000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] IPHLPAPI.DLL!IcmpSendEcho2Ex 73D3843C 6 Bytes JMP 718F000A .text C:\Program Files\MCShield\MCShieldRTM.exe[1448] IPHLPAPI.DLL!IcmpSendEcho2 73D3873B 6 Bytes JMP 7192000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtAcceptConnectPort 77C351E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtAcceptConnectPort + 4 77C351EC 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtCreateFile 77C35608 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtCreateFile + 4 77C3560C 2 Bytes [3A, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtCreateSymbolicLinkObject 77C35748 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C3574C 2 Bytes [6D, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtDeleteValueKey 77C35888 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtDeleteValueKey + 4 77C3588C 2 Bytes [40, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtOpenFile 77C35D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtOpenFile + 4 77C35D1C 2 Bytes [37, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtOpenProcess 77C35DC8 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtOpenProcess + 4 77C35DCC 2 Bytes [3D, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtSetContextThread 77C365A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtSetContextThread + 4 77C365AC 2 Bytes [31, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtSetInformationFile 77C36678 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtSetInformationFile + 4 77C3667C 2 Bytes [34, 71] {XOR AL, 0x71} .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtSetValueKey 77C36848 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] ntdll.dll!NtSetValueKey + 4 77C3684C 2 Bytes [43, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] KERNEL32.dll!CreateProcessW 7717204D 6 Bytes JMP 71A4000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] KERNEL32.dll!CreateProcessA 77172082 6 Bytes JMP 71A7000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] KERNEL32.dll!LoadLibraryA 771BDD15 6 Bytes JMP 7174000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] KERNEL32.dll!LoadLibraryW 771BEFF2 6 Bytes JMP 7171000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] KERNEL32.dll!CreateProcessInternalW 771C0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] KERNEL32.dll!CreateProcessInternalW + 4 771C0856 2 Bytes [2E, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] user32.dll!RegisterHotKey 7752AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] user32.dll!RegisterHotKey + 4 7752AA1D 2 Bytes [82, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] user32.dll!SendMessageA 7752AD60 6 Bytes JMP 7152000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] user32.dll!PostMessageA 7752B446 6 Bytes JMP 714C000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] user32.dll!PostMessageW 7753447B 6 Bytes JMP 7149000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] user32.dll!SendMessageW 77535539 6 Bytes JMP 714F000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] user32.dll!mouse_event 77546209 6 Bytes JMP 715B000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] user32.dll!SendInput 77557019 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] user32.dll!SendInput + 4 7755701D 2 Bytes [54, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] user32.dll!ExitWindowsEx 775706C7 6 Bytes JMP 71A1000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] user32.dll!keybd_event 7757EC3B 6 Bytes JMP 7158000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] user32.dll!DdeClientTransaction 7758323C 6 Bytes JMP 7186000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] GDI32.dll!DeleteDC 77A56EAA 6 Bytes JMP 717A000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] GDI32.dll!BitBlt 77A572C0 6 Bytes JMP 7177000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] GDI32.dll!CreateDCA 77A5CCA9 6 Bytes JMP 7180000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] GDI32.dll!CreateDCW 77A5CF79 6 Bytes JMP 717D000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] advapi32.dll!CreateServiceW 776170C4 6 Bytes JMP 7189000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] advapi32.dll!CreateServiceA 77633264 6 Bytes JMP 718C000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] advapi32.dll!InitiateSystemShutdownW 7764DC55 6 Bytes JMP 719B000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] advapi32.dll!InitiateSystemShutdownExW 7764DD22 6 Bytes JMP 7195000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] advapi32.dll!InitiateSystemShutdownA 7764DDF7 6 Bytes JMP 719E000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] advapi32.dll!InitiateSystemShutdownExA 7764DE9E 6 Bytes JMP 7198000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] WS2_32.dll!socket 77D73EB8 6 Bytes JMP 71AE000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] WS2_32.dll!WSALookupServiceBeginW 77D7575A 6 Bytes JMP 715E000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] WS2_32.dll!connect 77D76BDD 6 Bytes JMP 7167000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] WS2_32.dll!listen 77D7B001 6 Bytes JMP 7161000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] WS2_32.dll!WSAConnect 77D7CC3F 6 Bytes JMP 7164000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] IPHLPAPI.DLL!IcmpSendEcho2Ex 73D3843C 6 Bytes JMP 718F000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1460] IPHLPAPI.DLL!IcmpSendEcho2 73D3873B 6 Bytes JMP 7192000A .text C:\Windows\system32\svchost.exe[1496] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1496] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\system32\svchost.exe[1496] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1496] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1576] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1576] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1576] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1576] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\atieclxx.exe[1592] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\atieclxx.exe[1592] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\system32\atieclxx.exe[1592] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\atieclxx.exe[1592] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\spoolsv.exe[1668] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\spoolsv.exe[1668] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\System32\spoolsv.exe[1668] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\spoolsv.exe[1668] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtAcceptConnectPort 77C351E8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtAcceptConnectPort + 4 77C351EC 2 Bytes [9E, 70] .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtCreateFile 77C35608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtCreateFile + 4 77C3560C 2 Bytes [86, 71] .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtCreateSymbolicLinkObject 77C35748 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C3574C 2 Bytes [A1, 70] .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtDeleteValueKey 77C35888 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtDeleteValueKey + 4 77C3588C 2 Bytes [8C, 71] .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtOpenFile 77C35D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtOpenFile + 4 77C35D1C 2 Bytes [83, 71] .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtOpenProcess 77C35DC8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtOpenProcess + 4 77C35DCC 2 Bytes [89, 71] .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtSetContextThread 77C365A8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtSetContextThread + 4 77C365AC 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtSetInformationFile 77C36678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtSetInformationFile + 4 77C3667C 2 Bytes [80, 71] .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtSetValueKey 77C36848 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!NtSetValueKey + 4 77C3684C 2 Bytes [8F, 71] .text C:\Windows\system32\Dwm.exe[1748] KERNEL32.dll!CreateProcessW 7717204D 6 Bytes JMP 70D7000A .text C:\Windows\system32\Dwm.exe[1748] KERNEL32.dll!CreateProcessA 77172082 6 Bytes JMP 70DA000A .text C:\Windows\system32\Dwm.exe[1748] KERNEL32.dll!LoadLibraryA 771BDD15 6 Bytes JMP 70A8000A .text C:\Windows\system32\Dwm.exe[1748] KERNEL32.dll!LoadLibraryW 771BEFF2 6 Bytes JMP 70A5000A .text C:\Windows\system32\Dwm.exe[1748] KERNEL32.dll!CreateProcessInternalW 771C0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1748] KERNEL32.dll!CreateProcessInternalW + 4 771C0856 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\Dwm.exe[1748] GDI32.dll!DeleteDC 77A56EAA 6 Bytes JMP 70AE000A .text C:\Windows\system32\Dwm.exe[1748] GDI32.dll!BitBlt 77A572C0 6 Bytes JMP 70AB000A .text C:\Windows\system32\Dwm.exe[1748] GDI32.dll!CreateDCA 77A5CCA9 6 Bytes JMP 70B4000A .text C:\Windows\system32\Dwm.exe[1748] GDI32.dll!CreateDCW 77A5CF79 6 Bytes JMP 70B1000A .text C:\Windows\system32\Dwm.exe[1748] USER32.dll!RegisterHotKey 7752AA19 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1748] USER32.dll!RegisterHotKey + 4 7752AA1D 2 Bytes [B6, 70] {MOV DH, 0x70} .text C:\Windows\system32\Dwm.exe[1748] USER32.dll!SendMessageA 7752AD60 6 Bytes JMP 71A2000A .text C:\Windows\system32\Dwm.exe[1748] USER32.dll!PostMessageA 7752B446 6 Bytes JMP 719C000A .text C:\Windows\system32\Dwm.exe[1748] USER32.dll!PostMessageW 7753447B 6 Bytes JMP 7199000A .text C:\Windows\system32\Dwm.exe[1748] USER32.dll!SendMessageW 77535539 6 Bytes JMP 719F000A .text C:\Windows\system32\Dwm.exe[1748] USER32.dll!mouse_event 77546209 6 Bytes JMP 71AB000A .text C:\Windows\system32\Dwm.exe[1748] USER32.dll!SendInput 77557019 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1748] USER32.dll!SendInput + 4 7755701D 2 Bytes [A4, 71] .text C:\Windows\system32\Dwm.exe[1748] USER32.dll!ExitWindowsEx 775706C7 6 Bytes JMP 70D4000A .text C:\Windows\system32\Dwm.exe[1748] USER32.dll!keybd_event 7757EC3B 6 Bytes JMP 71A8000A .text C:\Windows\system32\Dwm.exe[1748] USER32.dll!DdeClientTransaction 7758323C 6 Bytes JMP 70BD000A .text C:\Windows\system32\Dwm.exe[1748] ADVAPI32.dll!CreateServiceW 776170C4 6 Bytes JMP 7193000A .text C:\Windows\system32\Dwm.exe[1748] ADVAPI32.dll!CreateServiceA 77633264 6 Bytes JMP 7196000A .text C:\Windows\system32\Dwm.exe[1748] ADVAPI32.dll!InitiateSystemShutdownW 7764DC55 6 Bytes JMP 70CE000A .text C:\Windows\system32\Dwm.exe[1748] ADVAPI32.dll!InitiateSystemShutdownExW 7764DD22 6 Bytes JMP 70C8000A .text C:\Windows\system32\Dwm.exe[1748] ADVAPI32.dll!InitiateSystemShutdownA 7764DDF7 6 Bytes JMP 70D1000A .text C:\Windows\system32\Dwm.exe[1748] ADVAPI32.dll!InitiateSystemShutdownExA 7764DE9E 6 Bytes JMP 70CB000A .text C:\Windows\system32\Dwm.exe[1748] WS2_32.dll!socket 77D73EB8 6 Bytes JMP 716B000A .text C:\Windows\system32\Dwm.exe[1748] WS2_32.dll!WSALookupServiceBeginW 77D7575A 6 Bytes JMP 716E000A .text C:\Windows\system32\Dwm.exe[1748] WS2_32.dll!connect 77D76BDD 6 Bytes JMP 7177000A .text C:\Windows\system32\Dwm.exe[1748] WS2_32.dll!listen 77D7B001 6 Bytes JMP 7171000A .text C:\Windows\system32\Dwm.exe[1748] WS2_32.dll!WSAConnect 77D7CC3F 6 Bytes JMP 7174000A .text C:\Windows\system32\Dwm.exe[1748] IPHLPAPI.DLL!IcmpSendEcho2Ex 73D3843C 6 Bytes JMP 70C2000A .text C:\Windows\system32\Dwm.exe[1748] IPHLPAPI.DLL!IcmpSendEcho2 73D3873B 6 Bytes JMP 70C5000A .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtAcceptConnectPort 77C351E8 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtAcceptConnectPort + 4 77C351EC 2 Bytes [17, 71] .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtCreateFile 77C35608 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtCreateFile + 4 77C3560C 2 Bytes [6F, 71] .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtCreateSymbolicLinkObject 77C35748 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C3574C 2 Bytes [1A, 71] .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtDeleteValueKey 77C35888 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtDeleteValueKey + 4 77C3588C 2 Bytes [75, 71] {JNZ 0x73} .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtOpenFile 77C35D18 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtOpenFile + 4 77C35D1C 2 Bytes [6C, 71] .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtOpenProcess 77C35DC8 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtOpenProcess + 4 77C35DCC 2 Bytes [72, 71] {JB 0x73} .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtSetContextThread 77C365A8 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtSetContextThread + 4 77C365AC 2 Bytes [66, 71] .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtSetInformationFile 77C36678 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtSetInformationFile + 4 77C3667C 2 Bytes [69, 71] .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtSetValueKey 77C36848 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1776] ntdll.dll!NtSetValueKey + 4 77C3684C 2 Bytes [8F, 71] .text C:\Windows\Explorer.EXE[1776] KERNEL32.dll!CreateProcessW 7717204D 6 Bytes JMP 714D000A .text C:\Windows\Explorer.EXE[1776] KERNEL32.dll!CreateProcessA 77172082 6 Bytes JMP 7150000A .text C:\Windows\Explorer.EXE[1776] KERNEL32.dll!LoadLibraryA 771BDD15 6 Bytes JMP 7121000A .text C:\Windows\Explorer.EXE[1776] KERNEL32.dll!LoadLibraryW 771BEFF2 6 Bytes JMP 711E000A .text C:\Windows\Explorer.EXE[1776] KERNEL32.dll!CreateProcessInternalW 771C0852 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1776] KERNEL32.dll!CreateProcessInternalW + 4 771C0856 2 Bytes [63, 71] .text C:\Windows\Explorer.EXE[1776] ADVAPI32.dll!CreateServiceW 776170C4 6 Bytes JMP 7193000A .text C:\Windows\Explorer.EXE[1776] ADVAPI32.dll!CreateServiceA 77633264 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[1776] ADVAPI32.dll!InitiateSystemShutdownW 7764DC55 6 Bytes JMP 7144000A .text C:\Windows\Explorer.EXE[1776] ADVAPI32.dll!InitiateSystemShutdownExW 7764DD22 6 Bytes JMP 713E000A .text C:\Windows\Explorer.EXE[1776] ADVAPI32.dll!InitiateSystemShutdownA 7764DDF7 6 Bytes JMP 7147000A .text C:\Windows\Explorer.EXE[1776] ADVAPI32.dll!InitiateSystemShutdownExA 7764DE9E 6 Bytes JMP 7141000A .text C:\Windows\Explorer.EXE[1776] GDI32.dll!DeleteDC 77A56EAA 6 Bytes JMP 7127000A .text C:\Windows\Explorer.EXE[1776] GDI32.dll!BitBlt 77A572C0 6 Bytes JMP 7124000A .text C:\Windows\Explorer.EXE[1776] GDI32.dll!CreateDCA 77A5CCA9 6 Bytes JMP 712D000A .text C:\Windows\Explorer.EXE[1776] GDI32.dll!CreateDCW 77A5CF79 6 Bytes JMP 712A000A .text C:\Windows\Explorer.EXE[1776] USER32.dll!RegisterHotKey 7752AA19 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1776] USER32.dll!RegisterHotKey + 4 7752AA1D 2 Bytes [2F, 71] .text C:\Windows\Explorer.EXE[1776] USER32.dll!SendMessageA 7752AD60 6 Bytes JMP 71A2000A .text C:\Windows\Explorer.EXE[1776] USER32.dll!PostMessageA 7752B446 6 Bytes JMP 719C000A .text C:\Windows\Explorer.EXE[1776] USER32.dll!PostMessageW 7753447B 6 Bytes JMP 7199000A .text C:\Windows\Explorer.EXE[1776] USER32.dll!SendMessageW 77535539 6 Bytes JMP 719F000A .text C:\Windows\Explorer.EXE[1776] USER32.dll!mouse_event 77546209 6 Bytes JMP 71AB000A .text C:\Windows\Explorer.EXE[1776] USER32.dll!SendInput 77557019 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1776] USER32.dll!SendInput + 4 7755701D 2 Bytes [A4, 71] .text C:\Windows\Explorer.EXE[1776] USER32.dll!ExitWindowsEx 775706C7 6 Bytes JMP 714A000A .text C:\Windows\Explorer.EXE[1776] USER32.dll!keybd_event 7757EC3B 6 Bytes JMP 71A8000A .text C:\Windows\Explorer.EXE[1776] USER32.dll!DdeClientTransaction 7758323C 6 Bytes JMP 7133000A .text C:\Windows\Explorer.EXE[1776] WS2_32.dll!ioctlsocket 77D73084 6 Bytes JMP 70EA000A .text C:\Windows\Explorer.EXE[1776] WS2_32.dll!sendto 77D734B5 6 Bytes JMP 70F0000A .text C:\Windows\Explorer.EXE[1776] WS2_32.dll!closesocket 77D73918 6 Bytes JMP 70FA000A .text C:\Windows\Explorer.EXE[1776] WS2_32.dll!socket 77D73EB8 6 Bytes JMP 7154000A .text C:\Windows\Explorer.EXE[1776] WS2_32.dll!WSASend 77D74406 6 Bytes JMP 70DB000A .text C:\Windows\Explorer.EXE[1776] WS2_32.dll!WSALookupServiceBeginW 77D7575A 6 Bytes JMP 7157000A .text C:\Windows\Explorer.EXE[1776] WS2_32.dll!select 77D76989 6 Bytes JMP 70ED000A .text C:\Windows\Explorer.EXE[1776] WS2_32.dll!recv 77D76B0E 6 Bytes JMP 70E2000A .text C:\Windows\Explorer.EXE[1776] WS2_32.dll!connect 77D76BDD 6 Bytes JMP 7160000A .text C:\Windows\Explorer.EXE[1776] WS2_32.dll!send 77D76F01 6 Bytes JMP 70F3000A .text C:\Windows\Explorer.EXE[1776] WS2_32.dll!WSARecv 77D77089 6 Bytes JMP 70DE000A .text C:\Windows\Explorer.EXE[1776] WS2_32.dll!WSAGetOverlappedResult 77D77489 6 Bytes JMP 70D5000A .text C:\Windows\Explorer.EXE[1776] WS2_32.dll!listen 77D7B001 6 Bytes JMP 715A000A .text C:\Windows\Explorer.EXE[1776] WS2_32.dll!WSAConnect 77D7CC3F 6 Bytes JMP 715D000A .text C:\Windows\Explorer.EXE[1776] WS2_32.dll!WSAAsyncSelect 77D8B014 6 Bytes JMP 70E7000A .text C:\Windows\Explorer.EXE[1776] IPHLPAPI.DLL!IcmpSendEcho2Ex 73D3843C 6 Bytes JMP 7138000A .text C:\Windows\Explorer.EXE[1776] IPHLPAPI.DLL!IcmpSendEcho2 73D3873B 6 Bytes JMP 713B000A .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtAcceptConnectPort 77C351E8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtAcceptConnectPort + 4 77C351EC 2 Bytes [2E, 71] .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtCreateFile 77C35608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtCreateFile + 4 77C3560C 2 Bytes [86, 71] .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtCreateSymbolicLinkObject 77C35748 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C3574C 2 Bytes [31, 71] .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtDeleteValueKey 77C35888 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtDeleteValueKey + 4 77C3588C 2 Bytes [8C, 71] .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtOpenFile 77C35D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtOpenFile + 4 77C35D1C 2 Bytes [83, 71] .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtOpenProcess 77C35DC8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtOpenProcess + 4 77C35DCC 2 Bytes [89, 71] .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtSetContextThread 77C365A8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtSetContextThread + 4 77C365AC 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtSetInformationFile 77C36678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtSetInformationFile + 4 77C3667C 2 Bytes [80, 71] .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtSetValueKey 77C36848 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1928] ntdll.dll!NtSetValueKey + 4 77C3684C 2 Bytes [8F, 71] .text C:\Windows\system32\taskhost.exe[1928] KERNEL32.dll!CreateProcessW 7717204D 6 Bytes JMP 7164000A .text C:\Windows\system32\taskhost.exe[1928] KERNEL32.dll!CreateProcessA 77172082 6 Bytes JMP 7167000A .text C:\Windows\system32\taskhost.exe[1928] KERNEL32.dll!LoadLibraryA 771BDD15 6 Bytes JMP 7138000A .text C:\Windows\system32\taskhost.exe[1928] KERNEL32.dll!LoadLibraryW 771BEFF2 6 Bytes JMP 7135000A .text C:\Windows\system32\taskhost.exe[1928] KERNEL32.dll!CreateProcessInternalW 771C0852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1928] KERNEL32.dll!CreateProcessInternalW + 4 771C0856 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskhost.exe[1928] GDI32.dll!DeleteDC 77A56EAA 6 Bytes JMP 713E000A .text C:\Windows\system32\taskhost.exe[1928] GDI32.dll!BitBlt 77A572C0 6 Bytes JMP 713B000A .text C:\Windows\system32\taskhost.exe[1928] GDI32.dll!CreateDCA 77A5CCA9 6 Bytes JMP 7144000A .text C:\Windows\system32\taskhost.exe[1928] GDI32.dll!CreateDCW 77A5CF79 6 Bytes JMP 7141000A .text C:\Windows\system32\taskhost.exe[1928] USER32.dll!RegisterHotKey 7752AA19 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1928] USER32.dll!RegisterHotKey + 4 7752AA1D 2 Bytes [46, 71] .text C:\Windows\system32\taskhost.exe[1928] USER32.dll!SendMessageA 7752AD60 6 Bytes JMP 71A2000A .text C:\Windows\system32\taskhost.exe[1928] USER32.dll!PostMessageA 7752B446 6 Bytes JMP 719C000A .text C:\Windows\system32\taskhost.exe[1928] USER32.dll!PostMessageW 7753447B 6 Bytes JMP 7199000A .text C:\Windows\system32\taskhost.exe[1928] USER32.dll!SendMessageW 77535539 6 Bytes JMP 719F000A .text C:\Windows\system32\taskhost.exe[1928] USER32.dll!mouse_event 77546209 6 Bytes JMP 71AB000A .text C:\Windows\system32\taskhost.exe[1928] USER32.dll!SendInput 77557019 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1928] USER32.dll!SendInput + 4 7755701D 2 Bytes [A4, 71] .text C:\Windows\system32\taskhost.exe[1928] USER32.dll!ExitWindowsEx 775706C7 6 Bytes JMP 7161000A .text C:\Windows\system32\taskhost.exe[1928] USER32.dll!keybd_event 7757EC3B 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskhost.exe[1928] USER32.dll!DdeClientTransaction 7758323C 6 Bytes JMP 714A000A .text C:\Windows\system32\taskhost.exe[1928] ADVAPI32.dll!CreateServiceW 776170C4 6 Bytes JMP 7193000A .text C:\Windows\system32\taskhost.exe[1928] ADVAPI32.dll!CreateServiceA 77633264 6 Bytes JMP 7196000A .text C:\Windows\system32\taskhost.exe[1928] ADVAPI32.dll!InitiateSystemShutdownW 7764DC55 6 Bytes JMP 715B000A .text C:\Windows\system32\taskhost.exe[1928] ADVAPI32.dll!InitiateSystemShutdownExW 7764DD22 6 Bytes JMP 7155000A .text C:\Windows\system32\taskhost.exe[1928] ADVAPI32.dll!InitiateSystemShutdownA 7764DDF7 6 Bytes JMP 715E000A .text C:\Windows\system32\taskhost.exe[1928] ADVAPI32.dll!InitiateSystemShutdownExA 7764DE9E 6 Bytes JMP 7158000A .text C:\Windows\system32\taskhost.exe[1928] WS2_32.dll!socket 77D73EB8 6 Bytes JMP 716B000A .text C:\Windows\system32\taskhost.exe[1928] WS2_32.dll!WSALookupServiceBeginW 77D7575A 6 Bytes JMP 716E000A .text C:\Windows\system32\taskhost.exe[1928] WS2_32.dll!connect 77D76BDD 6 Bytes JMP 7177000A .text C:\Windows\system32\taskhost.exe[1928] WS2_32.dll!listen 77D7B001 6 Bytes JMP 7171000A .text C:\Windows\system32\taskhost.exe[1928] WS2_32.dll!WSAConnect 77D7CC3F 6 Bytes JMP 7174000A .text C:\Windows\system32\taskhost.exe[1928] IPHLPAPI.DLL!IcmpSendEcho2Ex 73D3843C 6 Bytes JMP 714F000A .text C:\Windows\system32\taskhost.exe[1928] IPHLPAPI.DLL!IcmpSendEcho2 73D3873B 6 Bytes JMP 7152000A .text C:\Windows\system32\svchost.exe[1968] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1968] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\system32\svchost.exe[1968] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1968] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtCreateFile 77C35608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtCreateFile + 4 77C3560C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtDeleteValueKey 77C35888 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtDeleteValueKey + 4 77C3588C 2 Bytes [80, 71] .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtOpenFile 77C35D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtOpenFile + 4 77C35D1C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtOpenProcess 77C35DC8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtOpenProcess + 4 77C35DCC 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtSetContextThread 77C365A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtSetContextThread + 4 77C365AC 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtSetInformationFile 77C36678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtSetInformationFile + 4 77C3667C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtSetValueKey 77C36848 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[2068] ntdll.dll!NtSetValueKey + 4 77C3684C 2 Bytes [83, 71] .text C:\Program Files\Online Armor\OAhlp.exe[2068] KERNEL32.dll!CreateProcessInternalW 771C0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[2068] KERNEL32.dll!CreateProcessInternalW + 4 771C0856 2 Bytes [6E, 71] .text C:\Program Files\Online Armor\OAhlp.exe[2068] user32.dll!LoadStringA 775266A7 6 Bytes JMP 716C000A .text C:\Program Files\Online Armor\OAhlp.exe[2068] user32.dll!SendMessageA 7752AD60 6 Bytes JMP 7196000A .text C:\Program Files\Online Armor\OAhlp.exe[2068] user32.dll!PostMessageA 7752B446 6 Bytes JMP 7190000A .text C:\Program Files\Online Armor\OAhlp.exe[2068] user32.dll!LoadStringW 7752DFBA 6 Bytes JMP 7168000A .text C:\Program Files\Online Armor\OAhlp.exe[2068] user32.dll!PostMessageW 7753447B 6 Bytes JMP 718D000A .text C:\Program Files\Online Armor\OAhlp.exe[2068] user32.dll!SendMessageW 77535539 6 Bytes JMP 7193000A .text C:\Program Files\Online Armor\OAhlp.exe[2068] user32.dll!mouse_event 77546209 6 Bytes JMP 719F000A .text C:\Program Files\Online Armor\OAhlp.exe[2068] user32.dll!SendInput 77557019 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[2068] user32.dll!SendInput + 4 7755701D 2 Bytes [98, 71] .text C:\Program Files\Online Armor\OAhlp.exe[2068] user32.dll!keybd_event 7757EC3B 6 Bytes JMP 719C000A .text C:\Program Files\Online Armor\OAhlp.exe[2068] advapi32.dll!CreateServiceW 776170C4 6 Bytes JMP 7187000A .text C:\Program Files\Online Armor\OAhlp.exe[2068] advapi32.dll!CreateServiceA 77633264 6 Bytes JMP 718A000A .text C:\Program Files\Online Armor\OAhlp.exe[2068] WS2_32.dll!WSALookupServiceBeginW 77D7575A 6 Bytes JMP 71A2000A .text C:\Program Files\Online Armor\OAhlp.exe[2068] WS2_32.dll!connect 77D76BDD 6 Bytes JMP 71AB000A .text C:\Program Files\Online Armor\OAhlp.exe[2068] WS2_32.dll!listen 77D7B001 6 Bytes JMP 71A5000A .text C:\Program Files\Online Armor\OAhlp.exe[2068] WS2_32.dll!WSAConnect 77D7CC3F 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[2076] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[2076] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[2076] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[2076] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe[2120] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe[2120] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe[2120] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe[2120] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2164] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtAcceptConnectPort 77C351E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtAcceptConnectPort + 4 77C351EC 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtCreateFile 77C35608 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtCreateFile + 4 77C3560C 2 Bytes [3A, 71] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtCreateSymbolicLinkObject 77C35748 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C3574C 2 Bytes [6D, 71] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtDeleteValueKey 77C35888 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtDeleteValueKey + 4 77C3588C 2 Bytes [40, 71] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtOpenFile 77C35D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtOpenFile + 4 77C35D1C 2 Bytes [37, 71] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtOpenProcess 77C35DC8 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtOpenProcess + 4 77C35DCC 2 Bytes [3D, 71] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtSetContextThread 77C365A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtSetContextThread + 4 77C365AC 2 Bytes [31, 71] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtSetInformationFile 77C36678 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtSetInformationFile + 4 77C3667C 2 Bytes [34, 71] {XOR AL, 0x71} .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtSetValueKey 77C36848 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ntdll.dll!NtSetValueKey + 4 77C3684C 2 Bytes [43, 71] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] KERNEL32.dll!CreateProcessW 7717204D 6 Bytes JMP 71A4000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] KERNEL32.dll!CreateProcessA 77172082 6 Bytes JMP 71A7000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] KERNEL32.dll!LoadLibraryA 771BDD15 6 Bytes JMP 7174000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] KERNEL32.dll!LoadLibraryW 771BEFF2 6 Bytes JMP 7171000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] KERNEL32.dll!CreateProcessInternalW 771C0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] KERNEL32.dll!CreateProcessInternalW + 4 771C0856 2 Bytes [2E, 71] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] GDI32.dll!DeleteDC 77A56EAA 6 Bytes JMP 717A000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] GDI32.dll!BitBlt 77A572C0 6 Bytes JMP 7177000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] GDI32.dll!CreateDCA 77A5CCA9 6 Bytes JMP 7180000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] GDI32.dll!CreateDCW 77A5CF79 6 Bytes JMP 717D000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] USER32.dll!RegisterHotKey 7752AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] USER32.dll!RegisterHotKey + 4 7752AA1D 2 Bytes [82, 71] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] USER32.dll!SendMessageA 7752AD60 6 Bytes JMP 7152000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] USER32.dll!PostMessageA 7752B446 6 Bytes JMP 714C000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] USER32.dll!PostMessageW 7753447B 6 Bytes JMP 7149000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] USER32.dll!SendMessageW 77535539 6 Bytes JMP 714F000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] USER32.dll!mouse_event 77546209 6 Bytes JMP 715B000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] USER32.dll!SendInput 77557019 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] USER32.dll!SendInput + 4 7755701D 2 Bytes [54, 71] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] USER32.dll!ExitWindowsEx 775706C7 6 Bytes JMP 71A1000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] USER32.dll!keybd_event 7757EC3B 6 Bytes JMP 7158000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] USER32.dll!DdeClientTransaction 7758323C 6 Bytes JMP 7186000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ADVAPI32.dll!CreateServiceW 776170C4 6 Bytes JMP 7189000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ADVAPI32.dll!CreateServiceA 77633264 6 Bytes JMP 718C000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ADVAPI32.dll!InitiateSystemShutdownW 7764DC55 6 Bytes JMP 719B000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ADVAPI32.dll!InitiateSystemShutdownExW 7764DD22 6 Bytes JMP 7195000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ADVAPI32.dll!InitiateSystemShutdownA 7764DDF7 6 Bytes JMP 719E000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] ADVAPI32.dll!InitiateSystemShutdownExA 7764DE9E 6 Bytes JMP 7198000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] WS2_32.dll!socket 77D73EB8 6 Bytes JMP 71AE000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] WS2_32.dll!WSALookupServiceBeginW 77D7575A 6 Bytes JMP 715E000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] WS2_32.dll!connect 77D76BDD 6 Bytes JMP 7167000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] WS2_32.dll!listen 77D7B001 6 Bytes JMP 7161000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] WS2_32.dll!WSAConnect 77D7CC3F 6 Bytes JMP 7164000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] IPHLPAPI.DLL!IcmpSendEcho2Ex 73D3843C 6 Bytes JMP 718F000A .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[2208] IPHLPAPI.DLL!IcmpSendEcho2 73D3873B 6 Bytes JMP 7192000A .text C:\ProgramData\DatacardService\HWDeviceService.exe[2276] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\HWDeviceService.exe[2276] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\ProgramData\DatacardService\HWDeviceService.exe[2276] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\HWDeviceService.exe[2276] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtAcceptConnectPort 77C351E8 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtAcceptConnectPort + 4 77C351EC 2 Bytes [60, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtCreateFile 77C35608 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtCreateFile + 4 77C3560C 2 Bytes [2D, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtCreateSymbolicLinkObject 77C35748 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C3574C 2 Bytes [63, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtDeleteValueKey 77C35888 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtDeleteValueKey + 4 77C3588C 2 Bytes [33, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtOpenFile 77C35D18 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtOpenFile + 4 77C35D1C 2 Bytes [2A, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtOpenProcess 77C35DC8 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtOpenProcess + 4 77C35DCC 2 Bytes [30, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtSetContextThread 77C365A8 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtSetContextThread + 4 77C365AC 2 Bytes [24, 71] {AND AL, 0x71} .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtSetInformationFile 77C36678 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtSetInformationFile + 4 77C3667C 2 Bytes [27, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtSetValueKey 77C36848 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtSetValueKey + 4 77C3684C 2 Bytes [36, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] KERNEL32.dll!CreateProcessW 7717204D 6 Bytes JMP 71A4000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] KERNEL32.dll!CreateProcessA 77172082 6 Bytes JMP 71A7000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] KERNEL32.dll!LoadLibraryA 771BDD15 6 Bytes JMP 716A000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] KERNEL32.dll!LoadLibraryW 771BEFF2 6 Bytes JMP 7167000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] KERNEL32.dll!CreateProcessInternalW 771C0852 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] KERNEL32.dll!CreateProcessInternalW + 4 771C0856 2 Bytes [21, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] USER32.dll!RegisterHotKey 7752AA19 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] USER32.dll!RegisterHotKey + 4 7752AA1D 2 Bytes [81, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] USER32.dll!SendMessageA 7752AD60 6 Bytes JMP 7145000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] USER32.dll!PostMessageA 7752B446 6 Bytes JMP 713F000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] USER32.dll!PostMessageW 7753447B 6 Bytes JMP 713C000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] USER32.dll!SendMessageW 77535539 6 Bytes JMP 7142000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] USER32.dll!mouse_event 77546209 6 Bytes JMP 714E000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] USER32.dll!SendInput 77557019 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] USER32.dll!SendInput + 4 7755701D 2 Bytes [47, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] USER32.dll!ExitWindowsEx 775706C7 6 Bytes JMP 71A1000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] USER32.dll!keybd_event 7757EC3B 6 Bytes JMP 714B000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] USER32.dll!DdeClientTransaction 7758323C 6 Bytes JMP 7185000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] GDI32.dll!DeleteDC 77A56EAA 6 Bytes JMP 7179000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] GDI32.dll!BitBlt 77A572C0 6 Bytes JMP 7176000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] GDI32.dll!CreateDCA 77A5CCA9 6 Bytes JMP 717F000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] GDI32.dll!CreateDCW 77A5CF79 6 Bytes JMP 717C000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ADVAPI32.dll!CreateServiceW 776170C4 6 Bytes JMP 7188000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ADVAPI32.dll!CreateServiceA 77633264 6 Bytes JMP 718B000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ADVAPI32.dll!InitiateSystemShutdownW 7764DC55 6 Bytes JMP 719A000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ADVAPI32.dll!InitiateSystemShutdownExW 7764DD22 6 Bytes JMP 7194000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ADVAPI32.dll!InitiateSystemShutdownA 7764DDF7 6 Bytes JMP 719D000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ADVAPI32.dll!InitiateSystemShutdownExA 7764DE9E 6 Bytes JMP 7197000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] WS2_32.dll!socket 77D73EB8 6 Bytes JMP 71AF000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] WS2_32.dll!WSALookupServiceBeginW 77D7575A 6 Bytes JMP 7151000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] WS2_32.dll!connect 77D76BDD 6 Bytes JMP 715A000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] WS2_32.dll!listen 77D7B001 6 Bytes JMP 7154000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] WS2_32.dll!WSAConnect 77D7CC3F 6 Bytes JMP 7157000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] IPHLPAPI.DLL!IcmpSendEcho2Ex 73D3843C 6 Bytes JMP 718E000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] IPHLPAPI.DLL!IcmpSendEcho2 73D3873B 6 Bytes JMP 7191000A .text C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe[2516] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe[2516] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe[2516] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe[2516] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\PnkBstrA.exe[2536] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\PnkBstrA.exe[2536] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\system32\PnkBstrA.exe[2536] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\PnkBstrA.exe[2536] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\LiveTunerService.exe[2608] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\LiveTunerService.exe[2608] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\LiveTunerService.exe[2608] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\LiveTunerService.exe[2608] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtAcceptConnectPort 77C351E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtAcceptConnectPort + 4 77C351EC 2 Bytes [61, 71] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtCreateFile 77C35608 3 Bytes [FF, 25, 1E] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtCreateFile + 4 77C3560C 2 Bytes [2D, 71] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtCreateSymbolicLinkObject 77C35748 3 Bytes [FF, 25, 1E] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C3574C 2 Bytes [64, 71] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtDeleteValueKey 77C35888 3 Bytes [FF, 25, 1E] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtDeleteValueKey + 4 77C3588C 2 Bytes [33, 71] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtOpenFile 77C35D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtOpenFile + 4 77C35D1C 2 Bytes [2A, 71] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtOpenProcess 77C35DC8 3 Bytes [FF, 25, 1E] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtOpenProcess + 4 77C35DCC 2 Bytes [30, 71] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtSetContextThread 77C365A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtSetContextThread + 4 77C365AC 2 Bytes [24, 71] {AND AL, 0x71} .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtSetInformationFile 77C36678 3 Bytes [FF, 25, 1E] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtSetInformationFile + 4 77C3667C 2 Bytes [27, 71] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtSetValueKey 77C36848 3 Bytes [FF, 25, 1E] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] ntdll.dll!NtSetValueKey + 4 77C3684C 2 Bytes [36, 71] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] KERNEL32.dll!CreateProcessW 7717204D 6 Bytes JMP 71A4000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] KERNEL32.dll!CreateProcessA 77172082 6 Bytes JMP 71A7000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] KERNEL32.dll!LoadLibraryA 771BDD15 6 Bytes JMP 716B000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] KERNEL32.dll!LoadLibraryW 771BEFF2 6 Bytes JMP 7168000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] KERNEL32.dll!CreateProcessInternalW 771C0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] KERNEL32.dll!CreateProcessInternalW + 4 771C0856 2 Bytes [21, 71] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] GDI32.dll!DeleteDC 77A56EAA 6 Bytes JMP 717A000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] GDI32.dll!BitBlt 77A572C0 6 Bytes JMP 7177000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] GDI32.dll!CreateDCA 77A5CCA9 6 Bytes JMP 7180000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] GDI32.dll!CreateDCW 77A5CF79 6 Bytes JMP 717D000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] USER32.dll!RegisterHotKey 7752AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] USER32.dll!RegisterHotKey + 4 7752AA1D 2 Bytes [82, 71] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] USER32.dll!SendMessageA 7752AD60 6 Bytes JMP 7145000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] USER32.dll!PostMessageA 7752B446 6 Bytes JMP 713F000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] USER32.dll!PostMessageW 7753447B 6 Bytes JMP 713C000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] USER32.dll!SendMessageW 77535539 6 Bytes JMP 7142000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] USER32.dll!mouse_event 77546209 6 Bytes JMP 714E000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] USER32.dll!SendInput 77557019 3 Bytes [FF, 25, 1E] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] USER32.dll!SendInput + 4 7755701D 2 Bytes [47, 71] .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] USER32.dll!ExitWindowsEx 775706C7 6 Bytes JMP 71A1000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] USER32.dll!keybd_event 7757EC3B 6 Bytes JMP 714B000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] USER32.dll!DdeClientTransaction 7758323C 6 Bytes JMP 7186000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] advapi32.dll!CreateServiceW 776170C4 6 Bytes JMP 7189000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] advapi32.dll!CreateServiceA 77633264 6 Bytes JMP 718C000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] advapi32.dll!InitiateSystemShutdownW 7764DC55 6 Bytes JMP 719B000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] advapi32.dll!InitiateSystemShutdownExW 7764DD22 6 Bytes JMP 7195000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] advapi32.dll!InitiateSystemShutdownA 7764DDF7 6 Bytes JMP 719E000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] advapi32.dll!InitiateSystemShutdownExA 7764DE9E 6 Bytes JMP 7198000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] WS2_32.dll!ioctlsocket 77D73084 6 Bytes JMP 710F000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] WS2_32.dll!sendto 77D734B5 6 Bytes JMP 7115000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] WS2_32.dll!closesocket 77D73918 6 Bytes JMP 711F000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] WS2_32.dll!socket 77D73EB8 6 Bytes JMP 71AE000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] WS2_32.dll!WSASend 77D74406 6 Bytes JMP 7100000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] WS2_32.dll!WSALookupServiceBeginW 77D7575A 6 Bytes JMP 7151000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] WS2_32.dll!select 77D76989 6 Bytes JMP 7112000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] WS2_32.dll!recv 77D76B0E 6 Bytes JMP 7107000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] WS2_32.dll!connect 77D76BDD 6 Bytes JMP 715A000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] WS2_32.dll!send 77D76F01 6 Bytes JMP 7118000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] WS2_32.dll!WSARecv 77D77089 6 Bytes JMP 7103000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] WS2_32.dll!WSAGetOverlappedResult 77D77489 6 Bytes JMP 70FA000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] WS2_32.dll!listen 77D7B001 6 Bytes JMP 7154000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] WS2_32.dll!WSAConnect 77D7CC3F 6 Bytes JMP 7157000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] WS2_32.dll!WSAAsyncSelect 77D8B014 6 Bytes JMP 710C000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] IPHLPAPI.DLL!IcmpSendEcho2Ex 73D3843C 6 Bytes JMP 718F000A .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[2780] IPHLPAPI.DLL!IcmpSendEcho2 73D3873B 6 Bytes JMP 7192000A .text C:\Program Files\CyberGhost 5\Service.exe[3068] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\CyberGhost 5\Service.exe[3068] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\CyberGhost 5\Service.exe[3068] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\CyberGhost 5\Service.exe[3068] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[3532] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[3532] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\system32\svchost.exe[3532] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[3532] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtAcceptConnectPort 77C351E8 3 Bytes [FF, 25, 1E] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtAcceptConnectPort + 4 77C351EC 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtCreateFile 77C35608 3 Bytes [FF, 25, 1E] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtCreateFile + 4 77C3560C 2 Bytes [3A, 71] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtCreateSymbolicLinkObject 77C35748 3 Bytes [FF, 25, 1E] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C3574C 2 Bytes [6D, 71] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtDeleteValueKey 77C35888 3 Bytes [FF, 25, 1E] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtDeleteValueKey + 4 77C3588C 2 Bytes [40, 71] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtOpenFile 77C35D18 3 Bytes [FF, 25, 1E] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtOpenFile + 4 77C35D1C 2 Bytes [37, 71] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtOpenProcess 77C35DC8 3 Bytes [FF, 25, 1E] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtOpenProcess + 4 77C35DCC 2 Bytes [3D, 71] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtSetContextThread 77C365A8 3 Bytes [FF, 25, 1E] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtSetContextThread + 4 77C365AC 2 Bytes [31, 71] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtSetInformationFile 77C36678 3 Bytes [FF, 25, 1E] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtSetInformationFile + 4 77C3667C 2 Bytes [34, 71] {XOR AL, 0x71} .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtSetValueKey 77C36848 3 Bytes [FF, 25, 1E] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] ntdll.dll!NtSetValueKey + 4 77C3684C 2 Bytes [43, 71] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] KERNEL32.dll!CreateProcessW 7717204D 6 Bytes JMP 71A4000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] KERNEL32.dll!CreateProcessA 77172082 6 Bytes JMP 71A7000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] KERNEL32.dll!LoadLibraryA 771BDD15 6 Bytes JMP 7174000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] KERNEL32.dll!LoadLibraryW 771BEFF2 6 Bytes JMP 7171000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] KERNEL32.dll!CreateProcessInternalW 771C0852 3 Bytes [FF, 25, 1E] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] KERNEL32.dll!CreateProcessInternalW + 4 771C0856 2 Bytes [2E, 71] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] user32.dll!RegisterHotKey 7752AA19 3 Bytes [FF, 25, 1E] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] user32.dll!RegisterHotKey + 4 7752AA1D 2 Bytes [82, 71] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] user32.dll!SendMessageA 7752AD60 6 Bytes JMP 7152000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] user32.dll!PostMessageA 7752B446 6 Bytes JMP 714C000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] user32.dll!PostMessageW 7753447B 6 Bytes JMP 7149000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] user32.dll!SendMessageW 77535539 6 Bytes JMP 714F000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] user32.dll!mouse_event 77546209 6 Bytes JMP 715B000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] user32.dll!SendInput 77557019 3 Bytes [FF, 25, 1E] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] user32.dll!SendInput + 4 7755701D 2 Bytes [54, 71] .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] user32.dll!ExitWindowsEx 775706C7 6 Bytes JMP 71A1000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] user32.dll!keybd_event 7757EC3B 6 Bytes JMP 7158000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] user32.dll!DdeClientTransaction 7758323C 6 Bytes JMP 7186000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] GDI32.dll!DeleteDC 77A56EAA 6 Bytes JMP 717A000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] GDI32.dll!BitBlt 77A572C0 6 Bytes JMP 7177000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] GDI32.dll!CreateDCA 77A5CCA9 6 Bytes JMP 7180000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] GDI32.dll!CreateDCW 77A5CF79 6 Bytes JMP 717D000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] advapi32.dll!CreateServiceW 776170C4 6 Bytes JMP 7189000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] advapi32.dll!CreateServiceA 77633264 6 Bytes JMP 718C000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] advapi32.dll!InitiateSystemShutdownW 7764DC55 6 Bytes JMP 719B000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] advapi32.dll!InitiateSystemShutdownExW 7764DD22 6 Bytes JMP 7195000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] advapi32.dll!InitiateSystemShutdownA 7764DDF7 6 Bytes JMP 719E000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] advapi32.dll!InitiateSystemShutdownExA 7764DE9E 6 Bytes JMP 7198000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] WS2_32.dll!ioctlsocket 77D73084 6 Bytes JMP 711C000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] WS2_32.dll!sendto 77D734B5 6 Bytes JMP 7122000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] WS2_32.dll!closesocket 77D73918 6 Bytes JMP 712C000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] WS2_32.dll!socket 77D73EB8 6 Bytes JMP 71AE000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] WS2_32.dll!WSASend 77D74406 6 Bytes JMP 710D000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] WS2_32.dll!WSALookupServiceBeginW 77D7575A 6 Bytes JMP 715E000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] WS2_32.dll!select 77D76989 6 Bytes JMP 711F000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] WS2_32.dll!recv 77D76B0E 6 Bytes JMP 7114000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] WS2_32.dll!connect 77D76BDD 6 Bytes JMP 7167000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] WS2_32.dll!send 77D76F01 6 Bytes JMP 7125000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] WS2_32.dll!WSARecv 77D77089 6 Bytes JMP 7110000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] WS2_32.dll!WSAGetOverlappedResult 77D77489 6 Bytes JMP 7107000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] WS2_32.dll!listen 77D7B001 6 Bytes JMP 7161000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] WS2_32.dll!WSAConnect 77D7CC3F 6 Bytes JMP 7164000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] WS2_32.dll!WSAAsyncSelect 77D8B014 6 Bytes JMP 7119000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] IPHLPAPI.DLL!IcmpSendEcho2Ex 73D3843C 6 Bytes JMP 718F000A .text C:\Users\DG\Downloads\h1dt6t9q.exe[3700] IPHLPAPI.DLL!IcmpSendEcho2 73D3873B 6 Bytes JMP 7192000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtAcceptConnectPort 77C351E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtAcceptConnectPort + 4 77C351EC 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtCreateFile 77C35608 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtCreateFile + 4 77C3560C 2 Bytes [3A, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtCreateSymbolicLinkObject 77C35748 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C3574C 2 Bytes [6D, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtDeleteValueKey 77C35888 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtDeleteValueKey + 4 77C3588C 2 Bytes [40, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtOpenFile 77C35D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtOpenFile + 4 77C35D1C 2 Bytes [37, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtOpenProcess 77C35DC8 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtOpenProcess + 4 77C35DCC 2 Bytes [3D, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtSetContextThread 77C365A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtSetContextThread + 4 77C365AC 2 Bytes [31, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtSetInformationFile 77C36678 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtSetInformationFile + 4 77C3667C 2 Bytes [34, 71] {XOR AL, 0x71} .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtSetValueKey 77C36848 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ntdll.dll!NtSetValueKey + 4 77C3684C 2 Bytes [43, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] KERNEL32.dll!CreateProcessW 7717204D 6 Bytes JMP 71A4000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] KERNEL32.dll!CreateProcessA 77172082 6 Bytes JMP 71A7000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] KERNEL32.dll!LoadLibraryA 771BDD15 6 Bytes JMP 7174000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] KERNEL32.dll!LoadLibraryW 771BEFF2 6 Bytes JMP 7171000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] KERNEL32.dll!CreateProcessInternalW 771C0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] KERNEL32.dll!CreateProcessInternalW + 4 771C0856 2 Bytes [2E, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] USER32.dll!RegisterHotKey 7752AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] USER32.dll!RegisterHotKey + 4 7752AA1D 2 Bytes [82, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] USER32.dll!SendMessageA 7752AD60 6 Bytes JMP 7152000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] USER32.dll!PostMessageA 7752B446 6 Bytes JMP 714C000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] USER32.dll!PostMessageW 7753447B 6 Bytes JMP 7149000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] USER32.dll!SendMessageW 77535539 6 Bytes JMP 714F000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] USER32.dll!mouse_event 77546209 6 Bytes JMP 715B000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] USER32.dll!SendInput 77557019 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] USER32.dll!SendInput + 4 7755701D 2 Bytes [54, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] USER32.dll!ExitWindowsEx 775706C7 6 Bytes JMP 71A1000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] USER32.dll!keybd_event 7757EC3B 6 Bytes JMP 7158000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] USER32.dll!DdeClientTransaction 7758323C 6 Bytes JMP 7186000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] GDI32.dll!DeleteDC 77A56EAA 6 Bytes JMP 717A000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] GDI32.dll!BitBlt 77A572C0 6 Bytes JMP 7177000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] GDI32.dll!CreateDCA 77A5CCA9 6 Bytes JMP 7180000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] GDI32.dll!CreateDCW 77A5CF79 6 Bytes JMP 717D000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ADVAPI32.dll!CreateServiceW 776170C4 6 Bytes JMP 7189000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ADVAPI32.dll!CreateServiceA 77633264 6 Bytes JMP 718C000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ADVAPI32.dll!InitiateSystemShutdownW 7764DC55 6 Bytes JMP 719B000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ADVAPI32.dll!InitiateSystemShutdownExW 7764DD22 6 Bytes JMP 7195000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ADVAPI32.dll!InitiateSystemShutdownA 7764DDF7 6 Bytes JMP 719E000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] ADVAPI32.dll!InitiateSystemShutdownExA 7764DE9E 6 Bytes JMP 7198000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] WS2_32.dll!socket 77D73EB8 6 Bytes JMP 71AE000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] WS2_32.dll!WSALookupServiceBeginW 77D7575A 6 Bytes JMP 715E000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] WS2_32.dll!connect 77D76BDD 6 Bytes JMP 7167000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] WS2_32.dll!listen 77D7B001 6 Bytes JMP 7161000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] WS2_32.dll!WSAConnect 77D7CC3F 6 Bytes JMP 7164000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] IPHLPAPI.DLL!IcmpSendEcho2Ex 73D3843C 6 Bytes JMP 718F000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3712] IPHLPAPI.DLL!IcmpSendEcho2 73D3873B 6 Bytes JMP 7192000A .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] ntdll.dll!NtAcceptConnectPort 77C351E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] ntdll.dll!NtAcceptConnectPort + 4 77C351EC 2 Bytes [61, 71] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] ntdll.dll!NtCreateSymbolicLinkObject 77C35748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C3574C 2 Bytes [64, 71] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] KERNEL32.dll!CreateProcessW 7717204D 6 Bytes JMP 71A3001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] KERNEL32.dll!CreateProcessA 77172082 6 Bytes JMP 71A6001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] KERNEL32.dll!LoadLibraryA 771BDD15 6 Bytes JMP 716A001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] KERNEL32.dll!LoadLibraryW 771BEFF2 6 Bytes JMP 7167001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] GDI32.dll!DeleteDC 77A56EAA 6 Bytes JMP 7179001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] GDI32.dll!BitBlt 77A572C0 6 Bytes JMP 7176001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] GDI32.dll!CreateDCA 77A5CCA9 6 Bytes JMP 717F001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] GDI32.dll!CreateDCW 77A5CF79 6 Bytes JMP 717C001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] USER32.dll!RegisterHotKey 7752AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] USER32.dll!RegisterHotKey + 4 7752AA1D 2 Bytes [82, 71] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] USER32.dll!ExitWindowsEx 775706C7 6 Bytes JMP 71A0001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] USER32.dll!DdeClientTransaction 7758323C 6 Bytes JMP 7185001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] advapi32.dll!CreateServiceW 776170C4 6 Bytes JMP 7188001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] advapi32.dll!CreateServiceA 77633264 6 Bytes JMP 718B001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] advapi32.dll!InitiateSystemShutdownW 7764DC55 6 Bytes JMP 719A001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] advapi32.dll!InitiateSystemShutdownExW 7764DD22 6 Bytes JMP 7194001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] advapi32.dll!InitiateSystemShutdownA 7764DDF7 6 Bytes JMP 719D001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] advapi32.dll!InitiateSystemShutdownExA 7764DE9E 6 Bytes JMP 7197001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] WS2_32.dll!socket 77D73EB8 6 Bytes JMP 71AD001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] IPHLPAPI.DLL!IcmpSendEcho2Ex 73D3843C 6 Bytes JMP 718E001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[3740] IPHLPAPI.DLL!IcmpSendEcho2 73D3873B 6 Bytes JMP 7191001E .text C:\Windows\System32\WUDFHost.exe[3756] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\WUDFHost.exe[3756] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\System32\WUDFHost.exe[3756] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\WUDFHost.exe[3756] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtAcceptConnectPort 77C351E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtAcceptConnectPort + 4 77C351EC 2 Bytes [61, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtCreateFile 77C35608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtCreateFile + 4 77C3560C 2 Bytes [2D, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtCreateSymbolicLinkObject 77C35748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C3574C 2 Bytes [64, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtDeleteValueKey 77C35888 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtDeleteValueKey + 4 77C3588C 2 Bytes [33, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtOpenFile 77C35D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtOpenFile + 4 77C35D1C 2 Bytes [2A, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtOpenProcess 77C35DC8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtOpenProcess + 4 77C35DCC 2 Bytes [30, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtSetContextThread 77C365A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtSetContextThread + 4 77C365AC 2 Bytes [24, 71] {AND AL, 0x71} .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtSetInformationFile 77C36678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtSetInformationFile + 4 77C3667C 2 Bytes [27, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtSetValueKey 77C36848 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ntdll.dll!NtSetValueKey + 4 77C3684C 2 Bytes [36, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] KERNEL32.dll!CreateProcessW 7717204D 6 Bytes JMP 71A4000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] KERNEL32.dll!CreateProcessA 77172082 6 Bytes JMP 71A7000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] KERNEL32.dll!LoadLibraryA 771BDD15 6 Bytes JMP 716B000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] KERNEL32.dll!LoadLibraryW 771BEFF2 6 Bytes JMP 7168000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] KERNEL32.dll!CreateProcessInternalW 771C0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] KERNEL32.dll!CreateProcessInternalW + 4 771C0856 2 Bytes [21, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] GDI32.dll!DeleteDC 77A56EAA 6 Bytes JMP 717A000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] GDI32.dll!BitBlt 77A572C0 6 Bytes JMP 7177000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] GDI32.dll!CreateDCA 77A5CCA9 6 Bytes JMP 7180000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] GDI32.dll!CreateDCW 77A5CF79 6 Bytes JMP 717D000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] USER32.dll!RegisterHotKey 7752AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] USER32.dll!RegisterHotKey + 4 7752AA1D 2 Bytes [82, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] USER32.dll!SendMessageA 7752AD60 6 Bytes JMP 7145000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] USER32.dll!PostMessageA 7752B446 6 Bytes JMP 713F000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] USER32.dll!PostMessageW 7753447B 6 Bytes JMP 713C000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] USER32.dll!SendMessageW 77535539 6 Bytes JMP 7142000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] USER32.dll!mouse_event 77546209 6 Bytes JMP 714E000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] USER32.dll!SendInput 77557019 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] USER32.dll!SendInput + 4 7755701D 2 Bytes [47, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] USER32.dll!ExitWindowsEx 775706C7 6 Bytes JMP 71A1000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] USER32.dll!keybd_event 7757EC3B 6 Bytes JMP 714B000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] USER32.dll!DdeClientTransaction 7758323C 6 Bytes JMP 7186000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ADVAPI32.dll!CreateServiceW 776170C4 6 Bytes JMP 7189000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ADVAPI32.dll!CreateServiceA 77633264 6 Bytes JMP 718C000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ADVAPI32.dll!InitiateSystemShutdownW 7764DC55 6 Bytes JMP 719B000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ADVAPI32.dll!InitiateSystemShutdownExW 7764DD22 6 Bytes JMP 7195000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ADVAPI32.dll!InitiateSystemShutdownA 7764DDF7 6 Bytes JMP 719E000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] ADVAPI32.dll!InitiateSystemShutdownExA 7764DE9E 6 Bytes JMP 7198000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] WS2_32.dll!socket 77D73EB8 6 Bytes JMP 71AE000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] WS2_32.dll!WSALookupServiceBeginW 77D7575A 6 Bytes JMP 7151000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] WS2_32.dll!connect 77D76BDD 6 Bytes JMP 715A000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] WS2_32.dll!listen 77D7B001 6 Bytes JMP 7154000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] WS2_32.dll!WSAConnect 77D7CC3F 6 Bytes JMP 7157000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] IPHLPAPI.DLL!IcmpSendEcho2Ex 73D3843C 6 Bytes JMP 718F000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[3840] IPHLPAPI.DLL!IcmpSendEcho2 73D3873B 6 Bytes JMP 7192000A .text C:\Windows\system32\SearchIndexer.exe[3888] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\SearchIndexer.exe[3888] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\system32\SearchIndexer.exe[3888] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\SearchIndexer.exe[3888] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtAcceptConnectPort 77C351E8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtAcceptConnectPort + 4 77C351EC 2 Bytes [61, 71] .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtCreateFile 77C35608 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtCreateFile + 4 77C3560C 2 Bytes [2D, 71] .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtCreateSymbolicLinkObject 77C35748 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C3574C 2 Bytes [64, 71] .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtDeleteValueKey 77C35888 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtDeleteValueKey + 4 77C3588C 2 Bytes [33, 71] .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtOpenFile 77C35D18 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtOpenFile + 4 77C35D1C 2 Bytes [2A, 71] .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtOpenProcess 77C35DC8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtOpenProcess + 4 77C35DCC 2 Bytes [30, 71] .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtSetContextThread 77C365A8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtSetContextThread + 4 77C365AC 2 Bytes [24, 71] {AND AL, 0x71} .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtSetInformationFile 77C36678 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtSetInformationFile + 4 77C3667C 2 Bytes [27, 71] .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtSetValueKey 77C36848 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\rundll32.exe[3924] ntdll.dll!NtSetValueKey + 4 77C3684C 2 Bytes [36, 71] .text C:\Windows\System32\rundll32.exe[3924] KERNEL32.dll!CreateProcessW 7717204D 6 Bytes JMP 71A4000A .text C:\Windows\System32\rundll32.exe[3924] KERNEL32.dll!CreateProcessA 77172082 6 Bytes JMP 71A7000A .text C:\Windows\System32\rundll32.exe[3924] KERNEL32.dll!LoadLibraryA 771BDD15 6 Bytes JMP 716B000A .text C:\Windows\System32\rundll32.exe[3924] KERNEL32.dll!LoadLibraryW 771BEFF2 6 Bytes JMP 7168000A .text C:\Windows\System32\rundll32.exe[3924] KERNEL32.dll!CreateProcessInternalW 771C0852 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\rundll32.exe[3924] KERNEL32.dll!CreateProcessInternalW + 4 771C0856 2 Bytes [21, 71] .text C:\Windows\System32\rundll32.exe[3924] USER32.dll!RegisterHotKey 7752AA19 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\rundll32.exe[3924] USER32.dll!RegisterHotKey + 4 7752AA1D 2 Bytes [82, 71] .text C:\Windows\System32\rundll32.exe[3924] USER32.dll!SendMessageA 7752AD60 6 Bytes JMP 7145000A .text C:\Windows\System32\rundll32.exe[3924] USER32.dll!PostMessageA 7752B446 6 Bytes JMP 713F000A .text C:\Windows\System32\rundll32.exe[3924] USER32.dll!PostMessageW 7753447B 6 Bytes JMP 713C000A .text C:\Windows\System32\rundll32.exe[3924] USER32.dll!SendMessageW 77535539 6 Bytes JMP 7142000A .text C:\Windows\System32\rundll32.exe[3924] USER32.dll!mouse_event 77546209 6 Bytes JMP 714E000A .text C:\Windows\System32\rundll32.exe[3924] USER32.dll!SendInput 77557019 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\rundll32.exe[3924] USER32.dll!SendInput + 4 7755701D 2 Bytes [47, 71] .text C:\Windows\System32\rundll32.exe[3924] USER32.dll!ExitWindowsEx 775706C7 6 Bytes JMP 71A1000A .text C:\Windows\System32\rundll32.exe[3924] USER32.dll!keybd_event 7757EC3B 6 Bytes JMP 714B000A .text C:\Windows\System32\rundll32.exe[3924] USER32.dll!DdeClientTransaction 7758323C 6 Bytes JMP 7186000A .text C:\Windows\System32\rundll32.exe[3924] GDI32.dll!DeleteDC 77A56EAA 6 Bytes JMP 717A000A .text C:\Windows\System32\rundll32.exe[3924] GDI32.dll!BitBlt 77A572C0 6 Bytes JMP 7177000A .text C:\Windows\System32\rundll32.exe[3924] GDI32.dll!CreateDCA 77A5CCA9 6 Bytes JMP 7180000A .text C:\Windows\System32\rundll32.exe[3924] GDI32.dll!CreateDCW 77A5CF79 6 Bytes JMP 717D000A .text C:\Windows\System32\rundll32.exe[3924] ADVAPI32.dll!CreateServiceW 776170C4 6 Bytes JMP 7189000A .text C:\Windows\System32\rundll32.exe[3924] ADVAPI32.dll!CreateServiceA 77633264 6 Bytes JMP 718C000A .text C:\Windows\System32\rundll32.exe[3924] ADVAPI32.dll!InitiateSystemShutdownW 7764DC55 6 Bytes JMP 719B000A .text C:\Windows\System32\rundll32.exe[3924] ADVAPI32.dll!InitiateSystemShutdownExW 7764DD22 6 Bytes JMP 7195000A .text C:\Windows\System32\rundll32.exe[3924] ADVAPI32.dll!InitiateSystemShutdownA 7764DDF7 6 Bytes JMP 719E000A .text C:\Windows\System32\rundll32.exe[3924] ADVAPI32.dll!InitiateSystemShutdownExA 7764DE9E 6 Bytes JMP 7198000A .text C:\Windows\System32\rundll32.exe[3924] WS2_32.dll!socket 77D73EB8 6 Bytes JMP 71AE000A .text C:\Windows\System32\rundll32.exe[3924] WS2_32.dll!WSALookupServiceBeginW 77D7575A 6 Bytes JMP 7151000A .text C:\Windows\System32\rundll32.exe[3924] WS2_32.dll!connect 77D76BDD 6 Bytes JMP 715A000A .text C:\Windows\System32\rundll32.exe[3924] WS2_32.dll!listen 77D7B001 6 Bytes JMP 7154000A .text C:\Windows\System32\rundll32.exe[3924] WS2_32.dll!WSAConnect 77D7CC3F 6 Bytes JMP 7157000A .text C:\Windows\System32\rundll32.exe[3924] IPHLPAPI.DLL!IcmpSendEcho2Ex 73D3843C 6 Bytes JMP 718F000A .text C:\Windows\System32\rundll32.exe[3924] IPHLPAPI.DLL!IcmpSendEcho2 73D3873B 6 Bytes JMP 7192000A .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtCreateFile 77C35608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtCreateFile + 4 77C3560C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtDeleteValueKey 77C35888 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtDeleteValueKey + 4 77C3588C 2 Bytes [80, 71] .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtOpenFile 77C35D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtOpenFile + 4 77C35D1C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtOpenProcess 77C35DC8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtOpenProcess + 4 77C35DCC 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtSetContextThread 77C365A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtSetContextThread + 4 77C365AC 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtSetInformationFile 77C36678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtSetInformationFile + 4 77C3667C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtSetValueKey 77C36848 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[3968] ntdll.dll!NtSetValueKey + 4 77C3684C 2 Bytes [83, 71] .text C:\Program Files\Online Armor\oaui.exe[3968] KERNEL32.dll!CreateProcessInternalW 771C0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[3968] KERNEL32.dll!CreateProcessInternalW + 4 771C0856 2 Bytes [6E, 71] .text C:\Program Files\Online Armor\oaui.exe[3968] user32.dll!LoadStringA 775266A7 6 Bytes JMP 716C000A .text C:\Program Files\Online Armor\oaui.exe[3968] user32.dll!SendMessageA 7752AD60 6 Bytes JMP 7196000A .text C:\Program Files\Online Armor\oaui.exe[3968] user32.dll!PostMessageA 7752B446 6 Bytes JMP 7190000A .text C:\Program Files\Online Armor\oaui.exe[3968] user32.dll!LoadStringW 7752DFBA 6 Bytes JMP 7168000A .text C:\Program Files\Online Armor\oaui.exe[3968] user32.dll!PostMessageW 7753447B 6 Bytes JMP 718D000A .text C:\Program Files\Online Armor\oaui.exe[3968] user32.dll!SendMessageW 77535539 6 Bytes JMP 7193000A .text C:\Program Files\Online Armor\oaui.exe[3968] user32.dll!mouse_event 77546209 6 Bytes JMP 719F000A .text C:\Program Files\Online Armor\oaui.exe[3968] user32.dll!SendInput 77557019 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[3968] user32.dll!SendInput + 4 7755701D 2 Bytes [98, 71] .text C:\Program Files\Online Armor\oaui.exe[3968] user32.dll!keybd_event 7757EC3B 6 Bytes JMP 719C000A .text C:\Program Files\Online Armor\oaui.exe[3968] advapi32.dll!CreateServiceW 776170C4 6 Bytes JMP 7187000A .text C:\Program Files\Online Armor\oaui.exe[3968] advapi32.dll!CreateServiceA 77633264 6 Bytes JMP 718A000A .text C:\Program Files\Online Armor\oaui.exe[3968] WS2_32.dll!WSALookupServiceBeginW 77D7575A 6 Bytes JMP 71A2000A .text C:\Program Files\Online Armor\oaui.exe[3968] WS2_32.dll!connect 77D76BDD 6 Bytes JMP 71AB000A .text C:\Program Files\Online Armor\oaui.exe[3968] WS2_32.dll!listen 77D7B001 6 Bytes JMP 71A5000A .text C:\Program Files\Online Armor\oaui.exe[3968] WS2_32.dll!WSAConnect 77D7CC3F 6 Bytes JMP 71A8000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtAcceptConnectPort 77C351E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtAcceptConnectPort + 4 77C351EC 2 Bytes [61, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtCreateFile 77C35608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtCreateFile + 4 77C3560C 2 Bytes [2D, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtCreateSymbolicLinkObject 77C35748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C3574C 2 Bytes [64, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtDeleteValueKey 77C35888 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtDeleteValueKey + 4 77C3588C 2 Bytes [33, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtOpenFile 77C35D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtOpenFile + 4 77C35D1C 2 Bytes [2A, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtOpenProcess 77C35DC8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtOpenProcess + 4 77C35DCC 2 Bytes [30, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtSetContextThread 77C365A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtSetContextThread + 4 77C365AC 2 Bytes [24, 71] {AND AL, 0x71} .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtSetInformationFile 77C36678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtSetInformationFile + 4 77C3667C 2 Bytes [27, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtSetValueKey 77C36848 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ntdll.dll!NtSetValueKey + 4 77C3684C 2 Bytes [36, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] KERNEL32.dll!CreateProcessW 7717204D 6 Bytes JMP 71A4000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] KERNEL32.dll!CreateProcessA 77172082 6 Bytes JMP 71A7000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] KERNEL32.dll!LoadLibraryA 771BDD15 6 Bytes JMP 716B000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] KERNEL32.dll!LoadLibraryW 771BEFF2 6 Bytes JMP 7168000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] KERNEL32.dll!CreateProcessInternalW 771C0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] KERNEL32.dll!CreateProcessInternalW + 4 771C0856 2 Bytes [21, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ADVAPI32.dll!CreateServiceW 776170C4 6 Bytes JMP 7189000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ADVAPI32.dll!CreateServiceA 77633264 6 Bytes JMP 718C000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ADVAPI32.dll!InitiateSystemShutdownW 7764DC55 6 Bytes JMP 719B000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ADVAPI32.dll!InitiateSystemShutdownExW 7764DD22 6 Bytes JMP 7195000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ADVAPI32.dll!InitiateSystemShutdownA 7764DDF7 6 Bytes JMP 719E000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] ADVAPI32.dll!InitiateSystemShutdownExA 7764DE9E 6 Bytes JMP 7198000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] GDI32.dll!DeleteDC 77A56EAA 6 Bytes JMP 717A000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] GDI32.dll!BitBlt 77A572C0 6 Bytes JMP 7177000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] GDI32.dll!CreateDCA 77A5CCA9 6 Bytes JMP 7180000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] GDI32.dll!CreateDCW 77A5CF79 6 Bytes JMP 717D000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] USER32.dll!RegisterHotKey 7752AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] USER32.dll!RegisterHotKey + 4 7752AA1D 2 Bytes [82, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] USER32.dll!SendMessageA 7752AD60 6 Bytes JMP 7145000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] USER32.dll!PostMessageA 7752B446 6 Bytes JMP 713F000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] USER32.dll!PostMessageW 7753447B 6 Bytes JMP 713C000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] USER32.dll!SendMessageW 77535539 6 Bytes JMP 7142000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] USER32.dll!mouse_event 77546209 6 Bytes JMP 714E000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] USER32.dll!SendInput 77557019 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] USER32.dll!SendInput + 4 7755701D 2 Bytes [47, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] USER32.dll!ExitWindowsEx 775706C7 6 Bytes JMP 71A1000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] USER32.dll!keybd_event 7757EC3B 6 Bytes JMP 714B000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] USER32.dll!DdeClientTransaction 7758323C 6 Bytes JMP 7186000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] WS2_32.dll!socket 77D73EB8 6 Bytes JMP 71AE000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] WS2_32.dll!WSALookupServiceBeginW 77D7575A 6 Bytes JMP 7151000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] WS2_32.dll!connect 77D76BDD 6 Bytes JMP 715A000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] WS2_32.dll!listen 77D7B001 6 Bytes JMP 7154000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] WS2_32.dll!WSAConnect 77D7CC3F 6 Bytes JMP 7157000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] IPHLPAPI.DLL!IcmpSendEcho2Ex 73D3843C 6 Bytes JMP 718F000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[4044] IPHLPAPI.DLL!IcmpSendEcho2 73D3873B 6 Bytes JMP 7192000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtAcceptConnectPort 77C351E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtAcceptConnectPort + 4 77C351EC 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtCreateFile 77C35608 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtCreateFile + 4 77C3560C 2 Bytes [3A, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtCreateSymbolicLinkObject 77C35748 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C3574C 2 Bytes [6D, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtDeleteValueKey 77C35888 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtDeleteValueKey + 4 77C3588C 2 Bytes [40, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtOpenFile 77C35D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtOpenFile + 4 77C35D1C 2 Bytes [37, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtOpenProcess 77C35DC8 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtOpenProcess + 4 77C35DCC 2 Bytes [3D, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtSetContextThread 77C365A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtSetContextThread + 4 77C365AC 2 Bytes [31, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtSetInformationFile 77C36678 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtSetInformationFile + 4 77C3667C 2 Bytes [34, 71] {XOR AL, 0x71} .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtSetValueKey 77C36848 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] ntdll.dll!NtSetValueKey + 4 77C3684C 2 Bytes [43, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] KERNEL32.dll!CreateProcessW 7717204D 6 Bytes JMP 71A4000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] KERNEL32.dll!CreateProcessA 77172082 6 Bytes JMP 71A7000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] KERNEL32.dll!LoadLibraryA 771BDD15 6 Bytes JMP 7174000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] KERNEL32.dll!LoadLibraryW 771BEFF2 6 Bytes JMP 7171000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] KERNEL32.dll!CreateProcessInternalW 771C0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] KERNEL32.dll!CreateProcessInternalW + 4 771C0856 2 Bytes [2E, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] user32.dll!RegisterHotKey 7752AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] user32.dll!RegisterHotKey + 4 7752AA1D 2 Bytes [82, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] user32.dll!SendMessageA 7752AD60 6 Bytes JMP 7152000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] user32.dll!PostMessageA 7752B446 6 Bytes JMP 714C000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] user32.dll!PostMessageW 7753447B 6 Bytes JMP 7149000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] user32.dll!SendMessageW 77535539 6 Bytes JMP 714F000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] user32.dll!mouse_event 77546209 6 Bytes JMP 715B000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] user32.dll!SendInput 77557019 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] user32.dll!SendInput + 4 7755701D 2 Bytes [54, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] user32.dll!ExitWindowsEx 775706C7 6 Bytes JMP 71A1000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] user32.dll!keybd_event 7757EC3B 6 Bytes JMP 7158000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] user32.dll!DdeClientTransaction 7758323C 6 Bytes JMP 7186000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] GDI32.dll!DeleteDC 77A56EAA 6 Bytes JMP 717A000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] GDI32.dll!BitBlt 77A572C0 6 Bytes JMP 7177000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] GDI32.dll!CreateDCA 77A5CCA9 6 Bytes JMP 7180000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] GDI32.dll!CreateDCW 77A5CF79 6 Bytes JMP 717D000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] advapi32.dll!CreateServiceW 776170C4 6 Bytes JMP 7189000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] advapi32.dll!CreateServiceA 77633264 6 Bytes JMP 718C000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] advapi32.dll!InitiateSystemShutdownW 7764DC55 6 Bytes JMP 719B000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] advapi32.dll!InitiateSystemShutdownExW 7764DD22 6 Bytes JMP 7195000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] advapi32.dll!InitiateSystemShutdownA 7764DDF7 6 Bytes JMP 719E000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] advapi32.dll!InitiateSystemShutdownExA 7764DE9E 6 Bytes JMP 7198000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] WS2_32.dll!socket 77D73EB8 6 Bytes JMP 71AE000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] WS2_32.dll!WSALookupServiceBeginW 77D7575A 6 Bytes JMP 715E000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] WS2_32.dll!connect 77D76BDD 6 Bytes JMP 7167000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] WS2_32.dll!listen 77D7B001 6 Bytes JMP 7161000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] WS2_32.dll!WSAConnect 77D7CC3F 6 Bytes JMP 7164000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] IPHLPAPI.DLL!IcmpSendEcho2Ex 73D3843C 6 Bytes JMP 718F000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4380] IPHLPAPI.DLL!IcmpSendEcho2 73D3873B 6 Bytes JMP 7192000A .text C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4988] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4988] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4988] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe[4988] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtAcceptConnectPort 77C351E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtAcceptConnectPort + 4 77C351EC 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtAllocateVirtualMemory 77C35318 5 Bytes JMP 75178CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtCreateFile 77C35608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtCreateFile + 4 77C3560C 2 Bytes [3A, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtCreateSymbolicLinkObject 77C35748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C3574C 2 Bytes [6D, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtDeleteValueKey 77C35888 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtDeleteValueKey + 4 77C3588C 2 Bytes [40, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtFlushBuffersFile 77C35998 5 Bytes JMP 53ADEF64 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtFreeVirtualMemory 77C35A18 1 Byte [E9] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtFreeVirtualMemory 77C35A18 5 Bytes JMP 75178EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtOpenFile 77C35D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtOpenFile + 4 77C35D1C 2 Bytes [37, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtOpenProcess 77C35DC8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtOpenProcess + 4 77C35DCC 2 Bytes [3D, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtProtectVirtualMemory 77C35F58 5 Bytes JMP 75178D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtQueryFullAttributesFile 77C36028 5 Bytes JMP 53ADEC80 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtReadFile 77C362F8 5 Bytes JMP 53ADEE60 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtReadFileScatter 77C36308 2 Bytes JMP 544264C0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtReadFileScatter + 3 77C3630B 2 Bytes [7F, DC] {JG 0xffffffde} .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtSetContextThread 77C365A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtSetContextThread + 4 77C365AC 2 Bytes [31, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtSetInformationFile 77C36678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtSetInformationFile + 4 77C3667C 2 Bytes [34, 71] {XOR AL, 0x71} .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtSetValueKey 77C36848 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtSetValueKey + 4 77C3684C 2 Bytes [43, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtWriteFile 77C36AA8 5 Bytes JMP 53AFB690 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtWriteFileGather 77C36AB8 5 Bytes JMP 5442646F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!LdrLoadDll 77C522AE 5 Bytes JMP 58311F43 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] KERNEL32.dll!CreateProcessW 7717204D 6 Bytes JMP 71A4000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] KERNEL32.dll!CreateProcessA 77172082 6 Bytes JMP 71A7000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] KERNEL32.dll!K32GetDeviceDriverBaseNameW + 5D 771B94E6 7 Bytes JMP 5438D001 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] KERNEL32.dll!QueryPerformanceCounter + 13 771BC4E5 7 Bytes JMP 5438D024 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] KERNEL32.dll!LoadLibraryA 771BDD15 6 Bytes JMP 7174000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] KERNEL32.dll!LoadLibraryW 771BEFF2 6 Bytes JMP 7171000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] KERNEL32.dll!LoadAppInitDlls + 355 771BF5A6 7 Bytes JMP 53AF7374 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] KERNEL32.dll!CreateProcessInternalW 771C0852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] KERNEL32.dll!CreateProcessInternalW + 4 771C0856 2 Bytes [2E, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] user32.dll!RegisterHotKey 7752AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] user32.dll!RegisterHotKey + 4 7752AA1D 2 Bytes [82, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] user32.dll!SendMessageA 7752AD60 6 Bytes JMP 7152000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] user32.dll!PostMessageA 7752B446 6 Bytes JMP 714C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] user32.dll!PostMessageW 7753447B 6 Bytes JMP 7149000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] user32.dll!GetWindowInfo 77534B5E 5 Bytes JMP 54293388 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] user32.dll!SendMessageW 77535539 6 Bytes JMP 714F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] user32.dll!mouse_event 77546209 6 Bytes JMP 715B000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] user32.dll!SendInput 77557019 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] user32.dll!SendInput + 4 7755701D 2 Bytes [54, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] user32.dll!ExitWindowsEx 775706C7 6 Bytes JMP 71A1000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] user32.dll!keybd_event 7757EC3B 6 Bytes JMP 7158000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] user32.dll!DdeClientTransaction 7758323C 6 Bytes JMP 7186000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] GDI32.dll!DeleteDC 77A56EAA 6 Bytes JMP 717A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] GDI32.dll!BitBlt 77A572C0 6 Bytes JMP 7177000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] GDI32.dll!GetViewportOrgEx + 26C 77A5884B 7 Bytes JMP 5438CF82 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] GDI32.dll!CreateDCA 77A5CCA9 6 Bytes JMP 7180000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] GDI32.dll!CreateDCW 77A5CF79 6 Bytes JMP 717D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] advapi32.dll!CreateServiceW 776170C4 6 Bytes JMP 7189000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] advapi32.dll!CreateServiceA 77633264 6 Bytes JMP 718C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] advapi32.dll!InitiateSystemShutdownW 7764DC55 6 Bytes JMP 719B000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] advapi32.dll!InitiateSystemShutdownExW 7764DD22 6 Bytes JMP 7195000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] advapi32.dll!InitiateSystemShutdownA 7764DDF7 6 Bytes JMP 719E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] advapi32.dll!InitiateSystemShutdownExA 7764DE9E 6 Bytes JMP 7198000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] WS2_32.dll!ioctlsocket 77D73084 6 Bytes JMP 7119000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] WS2_32.dll!sendto 77D734B5 6 Bytes JMP 711F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] WS2_32.dll!closesocket 77D73918 6 Bytes JMP 7129000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] WS2_32.dll!socket 77D73EB8 6 Bytes JMP 71AE000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] WS2_32.dll!WSASend 77D74406 6 Bytes JMP 710A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] WS2_32.dll!WSALookupServiceBeginW 77D7575A 6 Bytes JMP 715E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] WS2_32.dll!select 77D76989 6 Bytes JMP 711C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] WS2_32.dll!recv 77D76B0E 6 Bytes JMP 7111000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] WS2_32.dll!connect 77D76BDD 6 Bytes JMP 7167000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] WS2_32.dll!send 77D76F01 6 Bytes JMP 7122000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] WS2_32.dll!WSARecv 77D77089 6 Bytes JMP 710D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] WS2_32.dll!WSAGetOverlappedResult 77D77489 6 Bytes JMP 7104000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] WS2_32.dll!listen 77D7B001 6 Bytes JMP 7161000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] WS2_32.dll!WSAConnect 77D7CC3F 6 Bytes JMP 7164000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] WS2_32.dll!WSAAsyncSelect 77D8B014 6 Bytes JMP 7116000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] IPHLPAPI.DLL!IcmpSendEcho2Ex 73D3843C 6 Bytes JMP 718F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] IPHLPAPI.DLL!IcmpSendEcho2 73D3873B 6 Bytes JMP 7192000A ---- Devices - GMER 2.1 ---- Device \Driver\tdx \Device\Tcp OAmon.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fltsrv.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fltsrv.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fltsrv.sys Device \Driver\tdx \Device\RawIp6 OAmon.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fltsrv.sys Device \Driver\tdx \Device\Tcp6 OAmon.sys Device \Driver\tdx \Device\Tdx OAmon.sys Device \Driver\partmgr \Device\PartmgrControl fltsrv.sys Device \Driver\tdx \Device\Udp OAmon.sys Device \Driver\tdx \Device\RawIp OAmon.sys Device \Driver\tdx \Device\Udp6 OAmon.sys Device \Driver\rdyboost \Device\RdyBoost fltsrv.sys ---- EOF - GMER 2.1 ----