GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-01 08:31:38 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD2500BEVT-35A23T0 rev.01.01A01 232,89GB Running: 9u98ubto.exe; Driver: C:\Users\I\AppData\Local\Temp\pxldypow.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAllocateVirtualMemory [0x8D114464] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAlpcConnectPort [0x8D112AC2] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAlpcCreatePort [0x8D112594] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAssignProcessToJobObject [0x8D11395E] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwConnectPort [0x8D112682] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreateFile [0x8D1193A6] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreatePort [0x8D1124A0] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreateSection [0x8D1104BA] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreateThread [0x8D111662] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreateThreadEx [0x8D111796] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwDebugActiveProcess [0x8D111D54] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwDuplicateObject [0x8D112362] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwLoadDriver [0x8D113386] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwOpenFile [0x8D119724] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwOpenSection [0x8D11077C] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwOpenThread [0x8D1118DE] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwProtectVirtualMemory [0x8D113710] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwQueueApcThread [0x8D113A7A] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwRequestPort [0x8D112CE6] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwRequestWaitReplyPort [0x8D11304E] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwResumeThread [0x8D112102] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSecureConnectPort [0x8D1128A4] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSetContextThread [0x8D111BFC] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSetSystemInformation [0x8D114118] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwShutdownSystem [0x8D1132C0] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSuspendProcess [0x8D112234] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSuspendThread [0x8D111FAC] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSystemDebugControl [0x8D111E72] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwTerminateProcess [0x8D1114A0] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwTerminateThread [0x8D111A94] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwUnloadDriver [0x8D11354E] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwWriteVirtualMemory [0x8D11383A] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1409 8187E9A5 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8189E512 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 13BB 818A59B0 4 Bytes [64, 44, 11, 8D] .text ntoskrnl.exe!KeRemoveQueueEx + 13C7 818A59BC 8 Bytes [C2, 2A, 11, 8D, 94, 25, 11, ...] .text ntoskrnl.exe!KeRemoveQueueEx + 141B 818A5A10 4 Bytes [5E, 39, 11, 8D] .text ntoskrnl.exe!KeRemoveQueueEx + 145B 818A5A50 4 Bytes [82, 26, 11, 8D] .text ntoskrnl.exe!KeRemoveQueueEx + 1477 818A5A6C 4 Bytes [A6, 93, 11, 8D] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtAcceptConnectPort 775951E8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtAcceptConnectPort + 4 775951EC 2 Bytes [2E, 71] .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtCreateFile 77595608 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtCreateFile + 4 7759560C 2 Bytes [86, 71] .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtCreateSymbolicLinkObject 77595748 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtCreateSymbolicLinkObject + 4 7759574C 2 Bytes [31, 71] .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtDeleteValueKey 77595888 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtDeleteValueKey + 4 7759588C 2 Bytes [8C, 71] .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtOpenFile 77595D18 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtOpenFile + 4 77595D1C 2 Bytes [83, 71] .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtOpenProcess 77595DC8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtOpenProcess + 4 77595DCC 2 Bytes [89, 71] .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtSetContextThread 775965A8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtSetContextThread + 4 775965AC 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtSetInformationFile 77596678 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtSetInformationFile + 4 7759667C 2 Bytes [80, 71] .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtSetValueKey 77596848 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[652] ntdll.dll!NtSetValueKey + 4 7759684C 2 Bytes [8F, 71] .text C:\Windows\System32\hkcmd.exe[652] KERNEL32.dll!CreateProcessW 770F204D 6 Bytes JMP 7164000A .text C:\Windows\System32\hkcmd.exe[652] KERNEL32.dll!CreateProcessA 770F2082 6 Bytes JMP 7167000A .text C:\Windows\System32\hkcmd.exe[652] KERNEL32.dll!LoadLibraryA 7713DD15 6 Bytes JMP 7138000A .text C:\Windows\System32\hkcmd.exe[652] KERNEL32.dll!LoadLibraryW 7713EFF2 6 Bytes JMP 7135000A .text C:\Windows\System32\hkcmd.exe[652] KERNEL32.dll!CreateProcessInternalW 77140852 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[652] KERNEL32.dll!CreateProcessInternalW + 4 77140856 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\hkcmd.exe[652] USER32.dll!RegisterHotKey 769FAA19 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[652] USER32.dll!RegisterHotKey + 4 769FAA1D 2 Bytes [46, 71] .text C:\Windows\System32\hkcmd.exe[652] USER32.dll!SendMessageA 769FAD60 6 Bytes JMP 71A2000A .text C:\Windows\System32\hkcmd.exe[652] USER32.dll!PostMessageA 769FB446 6 Bytes JMP 719C000A .text C:\Windows\System32\hkcmd.exe[652] USER32.dll!PostMessageW 76A0447B 6 Bytes JMP 7199000A .text C:\Windows\System32\hkcmd.exe[652] USER32.dll!SendMessageW 76A05539 6 Bytes JMP 719F000A .text C:\Windows\System32\hkcmd.exe[652] USER32.dll!mouse_event 76A16209 6 Bytes JMP 71AB000A .text C:\Windows\System32\hkcmd.exe[652] USER32.dll!SendInput 76A27019 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[652] USER32.dll!SendInput + 4 76A2701D 2 Bytes [A4, 71] .text C:\Windows\System32\hkcmd.exe[652] USER32.dll!ExitWindowsEx 76A406C7 6 Bytes JMP 7161000A .text C:\Windows\System32\hkcmd.exe[652] USER32.dll!keybd_event 76A4EC3B 6 Bytes JMP 71A8000A .text C:\Windows\System32\hkcmd.exe[652] USER32.dll!DdeClientTransaction 76A5323C 6 Bytes JMP 714A000A .text C:\Windows\System32\hkcmd.exe[652] GDI32.dll!DeleteDC 758D6EAA 6 Bytes JMP 713E000A .text C:\Windows\System32\hkcmd.exe[652] GDI32.dll!BitBlt 758D72C0 6 Bytes JMP 713B000A .text C:\Windows\System32\hkcmd.exe[652] GDI32.dll!CreateDCA 758DCCA9 6 Bytes JMP 7144000A .text C:\Windows\System32\hkcmd.exe[652] GDI32.dll!CreateDCW 758DCF79 6 Bytes JMP 7141000A .text C:\Windows\System32\hkcmd.exe[652] ADVAPI32.dll!CreateServiceW 777070C4 6 Bytes JMP 7193000A .text C:\Windows\System32\hkcmd.exe[652] ADVAPI32.dll!CreateServiceA 77723264 6 Bytes JMP 7196000A .text C:\Windows\System32\hkcmd.exe[652] ADVAPI32.dll!InitiateSystemShutdownW 7773DC55 6 Bytes JMP 715B000A .text C:\Windows\System32\hkcmd.exe[652] ADVAPI32.dll!InitiateSystemShutdownExW 7773DD22 6 Bytes JMP 7155000A .text C:\Windows\System32\hkcmd.exe[652] ADVAPI32.dll!InitiateSystemShutdownA 7773DDF7 6 Bytes JMP 715E000A .text C:\Windows\System32\hkcmd.exe[652] ADVAPI32.dll!InitiateSystemShutdownExA 7773DE9E 6 Bytes JMP 7158000A .text C:\Windows\System32\hkcmd.exe[652] WS2_32.dll!socket 76F93EB8 6 Bytes JMP 716B000A .text C:\Windows\System32\hkcmd.exe[652] WS2_32.dll!WSALookupServiceBeginW 76F9575A 6 Bytes JMP 716E000A .text C:\Windows\System32\hkcmd.exe[652] WS2_32.dll!connect 76F96BDD 6 Bytes JMP 7177000A .text C:\Windows\System32\hkcmd.exe[652] WS2_32.dll!listen 76F9B001 6 Bytes JMP 7171000A .text C:\Windows\System32\hkcmd.exe[652] WS2_32.dll!WSAConnect 76F9CC3F 6 Bytes JMP 7174000A .text C:\Windows\System32\hkcmd.exe[652] IPHLPAPI.DLL!IcmpSendEcho2Ex 736B843C 6 Bytes JMP 714F000A .text C:\Windows\System32\hkcmd.exe[652] IPHLPAPI.DLL!IcmpSendEcho2 736B873B 6 Bytes JMP 7152000A .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtAcceptConnectPort 775951E8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtAcceptConnectPort + 4 775951EC 2 Bytes [2E, 71] .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtCreateFile 77595608 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtCreateFile + 4 7759560C 2 Bytes [86, 71] .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtCreateSymbolicLinkObject 77595748 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtCreateSymbolicLinkObject + 4 7759574C 2 Bytes [31, 71] .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtDeleteValueKey 77595888 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtDeleteValueKey + 4 7759588C 2 Bytes [8C, 71] .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtOpenFile 77595D18 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtOpenFile + 4 77595D1C 2 Bytes [83, 71] .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtOpenProcess 77595DC8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtOpenProcess + 4 77595DCC 2 Bytes [89, 71] .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtSetContextThread 775965A8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtSetContextThread + 4 775965AC 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtSetInformationFile 77596678 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtSetInformationFile + 4 7759667C 2 Bytes [80, 71] .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtSetValueKey 77596848 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[744] ntdll.dll!NtSetValueKey + 4 7759684C 2 Bytes [8F, 71] .text C:\Windows\System32\igfxtray.exe[744] KERNEL32.dll!CreateProcessW 770F204D 6 Bytes JMP 7164000A .text C:\Windows\System32\igfxtray.exe[744] KERNEL32.dll!CreateProcessA 770F2082 6 Bytes JMP 7167000A .text C:\Windows\System32\igfxtray.exe[744] KERNEL32.dll!LoadLibraryA 7713DD15 6 Bytes JMP 7138000A .text C:\Windows\System32\igfxtray.exe[744] KERNEL32.dll!LoadLibraryW 7713EFF2 6 Bytes JMP 7135000A .text C:\Windows\System32\igfxtray.exe[744] KERNEL32.dll!CreateProcessInternalW 77140852 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[744] KERNEL32.dll!CreateProcessInternalW + 4 77140856 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\igfxtray.exe[744] USER32.dll!RegisterHotKey 769FAA19 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[744] USER32.dll!RegisterHotKey + 4 769FAA1D 2 Bytes [46, 71] .text C:\Windows\System32\igfxtray.exe[744] USER32.dll!SendMessageA 769FAD60 6 Bytes JMP 71A2000A .text C:\Windows\System32\igfxtray.exe[744] USER32.dll!PostMessageA 769FB446 6 Bytes JMP 719C000A .text C:\Windows\System32\igfxtray.exe[744] USER32.dll!PostMessageW 76A0447B 6 Bytes JMP 7199000A .text C:\Windows\System32\igfxtray.exe[744] USER32.dll!SendMessageW 76A05539 6 Bytes JMP 719F000A .text C:\Windows\System32\igfxtray.exe[744] USER32.dll!mouse_event 76A16209 6 Bytes JMP 71AB000A .text C:\Windows\System32\igfxtray.exe[744] USER32.dll!SendInput 76A27019 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[744] USER32.dll!SendInput + 4 76A2701D 2 Bytes [A4, 71] .text C:\Windows\System32\igfxtray.exe[744] USER32.dll!ExitWindowsEx 76A406C7 6 Bytes JMP 7161000A .text C:\Windows\System32\igfxtray.exe[744] USER32.dll!keybd_event 76A4EC3B 6 Bytes JMP 71A8000A .text C:\Windows\System32\igfxtray.exe[744] USER32.dll!DdeClientTransaction 76A5323C 6 Bytes JMP 714A000A .text C:\Windows\System32\igfxtray.exe[744] GDI32.dll!DeleteDC 758D6EAA 6 Bytes JMP 713E000A .text C:\Windows\System32\igfxtray.exe[744] GDI32.dll!BitBlt 758D72C0 6 Bytes JMP 713B000A .text C:\Windows\System32\igfxtray.exe[744] GDI32.dll!CreateDCA 758DCCA9 6 Bytes JMP 7144000A .text C:\Windows\System32\igfxtray.exe[744] GDI32.dll!CreateDCW 758DCF79 6 Bytes JMP 7141000A .text C:\Windows\System32\igfxtray.exe[744] ADVAPI32.dll!CreateServiceW 777070C4 6 Bytes JMP 7193000A .text C:\Windows\System32\igfxtray.exe[744] ADVAPI32.dll!CreateServiceA 77723264 6 Bytes JMP 7196000A .text C:\Windows\System32\igfxtray.exe[744] ADVAPI32.dll!InitiateSystemShutdownW 7773DC55 6 Bytes JMP 715B000A .text C:\Windows\System32\igfxtray.exe[744] ADVAPI32.dll!InitiateSystemShutdownExW 7773DD22 6 Bytes JMP 7155000A .text C:\Windows\System32\igfxtray.exe[744] ADVAPI32.dll!InitiateSystemShutdownA 7773DDF7 6 Bytes JMP 715E000A .text C:\Windows\System32\igfxtray.exe[744] ADVAPI32.dll!InitiateSystemShutdownExA 7773DE9E 6 Bytes JMP 7158000A .text C:\Windows\System32\igfxtray.exe[744] WS2_32.dll!socket 76F93EB8 6 Bytes JMP 716B000A .text C:\Windows\System32\igfxtray.exe[744] WS2_32.dll!WSALookupServiceBeginW 76F9575A 6 Bytes JMP 716E000A .text C:\Windows\System32\igfxtray.exe[744] WS2_32.dll!connect 76F96BDD 6 Bytes JMP 7177000A .text C:\Windows\System32\igfxtray.exe[744] WS2_32.dll!listen 76F9B001 6 Bytes JMP 7171000A .text C:\Windows\System32\igfxtray.exe[744] WS2_32.dll!WSAConnect 76F9CC3F 6 Bytes JMP 7174000A .text C:\Windows\System32\igfxtray.exe[744] IPHLPAPI.DLL!IcmpSendEcho2Ex 736B843C 6 Bytes JMP 714F000A .text C:\Windows\System32\igfxtray.exe[744] IPHLPAPI.DLL!IcmpSendEcho2 736B873B 6 Bytes JMP 7152000A .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[864] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[864] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[864] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[864] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtAcceptConnectPort 775951E8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtAcceptConnectPort + 4 775951EC 2 Bytes [2E, 71] .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtCreateFile 77595608 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtCreateFile + 4 7759560C 2 Bytes [86, 71] .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtCreateSymbolicLinkObject 77595748 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtCreateSymbolicLinkObject + 4 7759574C 2 Bytes [31, 71] .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtDeleteValueKey 77595888 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtDeleteValueKey + 4 7759588C 2 Bytes [8C, 71] .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtOpenFile 77595D18 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtOpenFile + 4 77595D1C 2 Bytes [83, 71] .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtOpenProcess 77595DC8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtOpenProcess + 4 77595DCC 2 Bytes [89, 71] .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtSetContextThread 775965A8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtSetContextThread + 4 775965AC 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtSetInformationFile 77596678 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtSetInformationFile + 4 7759667C 2 Bytes [80, 71] .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtSetValueKey 77596848 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[872] ntdll.dll!NtSetValueKey + 4 7759684C 2 Bytes [8F, 71] .text C:\Windows\System32\igfxpers.exe[872] KERNEL32.dll!CreateProcessW 770F204D 6 Bytes JMP 7164000A .text C:\Windows\System32\igfxpers.exe[872] KERNEL32.dll!CreateProcessA 770F2082 6 Bytes JMP 7167000A .text C:\Windows\System32\igfxpers.exe[872] KERNEL32.dll!LoadLibraryA 7713DD15 6 Bytes JMP 7138000A .text C:\Windows\System32\igfxpers.exe[872] KERNEL32.dll!LoadLibraryW 7713EFF2 6 Bytes JMP 7135000A .text C:\Windows\System32\igfxpers.exe[872] KERNEL32.dll!CreateProcessInternalW 77140852 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[872] KERNEL32.dll!CreateProcessInternalW + 4 77140856 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\igfxpers.exe[872] ADVAPI32.dll!CreateServiceW 777070C4 6 Bytes JMP 7193000A .text C:\Windows\System32\igfxpers.exe[872] ADVAPI32.dll!CreateServiceA 77723264 6 Bytes JMP 7196000A .text C:\Windows\System32\igfxpers.exe[872] ADVAPI32.dll!InitiateSystemShutdownW 7773DC55 6 Bytes JMP 715B000A .text C:\Windows\System32\igfxpers.exe[872] ADVAPI32.dll!InitiateSystemShutdownExW 7773DD22 6 Bytes JMP 7155000A .text C:\Windows\System32\igfxpers.exe[872] ADVAPI32.dll!InitiateSystemShutdownA 7773DDF7 6 Bytes JMP 715E000A .text C:\Windows\System32\igfxpers.exe[872] ADVAPI32.dll!InitiateSystemShutdownExA 7773DE9E 6 Bytes JMP 7158000A .text C:\Windows\System32\igfxpers.exe[872] GDI32.dll!DeleteDC 758D6EAA 6 Bytes JMP 713E000A .text C:\Windows\System32\igfxpers.exe[872] GDI32.dll!BitBlt 758D72C0 6 Bytes JMP 713B000A .text C:\Windows\System32\igfxpers.exe[872] GDI32.dll!CreateDCA 758DCCA9 6 Bytes JMP 7144000A .text C:\Windows\System32\igfxpers.exe[872] GDI32.dll!CreateDCW 758DCF79 6 Bytes JMP 7141000A .text C:\Windows\System32\igfxpers.exe[872] USER32.dll!RegisterHotKey 769FAA19 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[872] USER32.dll!RegisterHotKey + 4 769FAA1D 2 Bytes [46, 71] .text C:\Windows\System32\igfxpers.exe[872] USER32.dll!SendMessageA 769FAD60 6 Bytes JMP 71A2000A .text C:\Windows\System32\igfxpers.exe[872] USER32.dll!PostMessageA 769FB446 6 Bytes JMP 719C000A .text C:\Windows\System32\igfxpers.exe[872] USER32.dll!PostMessageW 76A0447B 6 Bytes JMP 7199000A .text C:\Windows\System32\igfxpers.exe[872] USER32.dll!SendMessageW 76A05539 6 Bytes JMP 719F000A .text C:\Windows\System32\igfxpers.exe[872] USER32.dll!mouse_event 76A16209 6 Bytes JMP 71AB000A .text C:\Windows\System32\igfxpers.exe[872] USER32.dll!SendInput 76A27019 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[872] USER32.dll!SendInput + 4 76A2701D 2 Bytes [A4, 71] .text C:\Windows\System32\igfxpers.exe[872] USER32.dll!ExitWindowsEx 76A406C7 6 Bytes JMP 7161000A .text C:\Windows\System32\igfxpers.exe[872] USER32.dll!keybd_event 76A4EC3B 6 Bytes JMP 71A8000A .text C:\Windows\System32\igfxpers.exe[872] USER32.dll!DdeClientTransaction 76A5323C 6 Bytes JMP 714A000A .text C:\Windows\System32\igfxpers.exe[872] WS2_32.dll!socket 76F93EB8 6 Bytes JMP 716B000A .text C:\Windows\System32\igfxpers.exe[872] WS2_32.dll!WSALookupServiceBeginW 76F9575A 6 Bytes JMP 716E000A .text C:\Windows\System32\igfxpers.exe[872] WS2_32.dll!connect 76F96BDD 6 Bytes JMP 7177000A .text C:\Windows\System32\igfxpers.exe[872] WS2_32.dll!listen 76F9B001 6 Bytes JMP 7171000A .text C:\Windows\System32\igfxpers.exe[872] WS2_32.dll!WSAConnect 76F9CC3F 6 Bytes JMP 7174000A .text C:\Windows\System32\igfxpers.exe[872] IPHLPAPI.DLL!IcmpSendEcho2Ex 736B843C 6 Bytes JMP 714F000A .text C:\Windows\System32\igfxpers.exe[872] IPHLPAPI.DLL!IcmpSendEcho2 736B873B 6 Bytes JMP 7152000A .text C:\Windows\system32\svchost.exe[952] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[952] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\system32\svchost.exe[952] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[952] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1024] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1024] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\System32\svchost.exe[1024] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1024] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1064] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1064] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\System32\svchost.exe[1064] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1064] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1108] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1108] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\system32\svchost.exe[1108] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1108] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtAcceptConnectPort 775951E8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtAcceptConnectPort + 4 775951EC 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtCreateFile 77595608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtCreateFile + 4 7759560C 2 Bytes [3A, 71] .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtCreateSymbolicLinkObject 77595748 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtCreateSymbolicLinkObject + 4 7759574C 2 Bytes [6D, 71] .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtDeleteValueKey 77595888 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtDeleteValueKey + 4 7759588C 2 Bytes [40, 71] .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtOpenFile 77595D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtOpenFile + 4 77595D1C 2 Bytes [37, 71] .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtOpenProcess 77595DC8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtOpenProcess + 4 77595DCC 2 Bytes [3D, 71] .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtSetContextThread 775965A8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtSetContextThread + 4 775965AC 2 Bytes [31, 71] .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtSetInformationFile 77596678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtSetInformationFile + 4 7759667C 2 Bytes [34, 71] {XOR AL, 0x71} .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtSetValueKey 77596848 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\igfxsrvc.exe[1152] ntdll.dll!NtSetValueKey + 4 7759684C 2 Bytes [43, 71] .text C:\Windows\system32\igfxsrvc.exe[1152] KERNEL32.dll!CreateProcessW 770F204D 6 Bytes JMP 71A4000A .text C:\Windows\system32\igfxsrvc.exe[1152] KERNEL32.dll!CreateProcessA 770F2082 6 Bytes JMP 71A7000A .text C:\Windows\system32\igfxsrvc.exe[1152] KERNEL32.dll!LoadLibraryA 7713DD15 6 Bytes JMP 7174000A .text C:\Windows\system32\igfxsrvc.exe[1152] KERNEL32.dll!LoadLibraryW 7713EFF2 6 Bytes JMP 7171000A .text C:\Windows\system32\igfxsrvc.exe[1152] KERNEL32.dll!CreateProcessInternalW 77140852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\igfxsrvc.exe[1152] KERNEL32.dll!CreateProcessInternalW + 4 77140856 2 Bytes [2E, 71] .text C:\Windows\system32\igfxsrvc.exe[1152] USER32.dll!RegisterHotKey 769FAA19 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\igfxsrvc.exe[1152] USER32.dll!RegisterHotKey + 4 769FAA1D 2 Bytes [82, 71] .text C:\Windows\system32\igfxsrvc.exe[1152] USER32.dll!SendMessageA 769FAD60 6 Bytes JMP 7152000A .text C:\Windows\system32\igfxsrvc.exe[1152] USER32.dll!PostMessageA 769FB446 6 Bytes JMP 714C000A .text C:\Windows\system32\igfxsrvc.exe[1152] USER32.dll!PostMessageW 76A0447B 6 Bytes JMP 7149000A .text C:\Windows\system32\igfxsrvc.exe[1152] USER32.dll!SendMessageW 76A05539 6 Bytes JMP 714F000A .text C:\Windows\system32\igfxsrvc.exe[1152] USER32.dll!mouse_event 76A16209 6 Bytes JMP 715B000A .text C:\Windows\system32\igfxsrvc.exe[1152] USER32.dll!SendInput 76A27019 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\igfxsrvc.exe[1152] USER32.dll!SendInput + 4 76A2701D 2 Bytes [54, 71] .text C:\Windows\system32\igfxsrvc.exe[1152] USER32.dll!ExitWindowsEx 76A406C7 6 Bytes JMP 71A1000A .text C:\Windows\system32\igfxsrvc.exe[1152] USER32.dll!keybd_event 76A4EC3B 6 Bytes JMP 7158000A .text C:\Windows\system32\igfxsrvc.exe[1152] USER32.dll!DdeClientTransaction 76A5323C 6 Bytes JMP 7186000A .text C:\Windows\system32\igfxsrvc.exe[1152] GDI32.dll!DeleteDC 758D6EAA 6 Bytes JMP 717A000A .text C:\Windows\system32\igfxsrvc.exe[1152] GDI32.dll!BitBlt 758D72C0 6 Bytes JMP 7177000A .text C:\Windows\system32\igfxsrvc.exe[1152] GDI32.dll!CreateDCA 758DCCA9 6 Bytes JMP 7180000A .text C:\Windows\system32\igfxsrvc.exe[1152] GDI32.dll!CreateDCW 758DCF79 6 Bytes JMP 717D000A .text C:\Windows\system32\igfxsrvc.exe[1152] ADVAPI32.dll!CreateServiceW 777070C4 6 Bytes JMP 7189000A .text C:\Windows\system32\igfxsrvc.exe[1152] ADVAPI32.dll!CreateServiceA 77723264 6 Bytes JMP 718C000A .text C:\Windows\system32\igfxsrvc.exe[1152] ADVAPI32.dll!InitiateSystemShutdownW 7773DC55 6 Bytes JMP 719B000A .text C:\Windows\system32\igfxsrvc.exe[1152] ADVAPI32.dll!InitiateSystemShutdownExW 7773DD22 6 Bytes JMP 7195000A .text C:\Windows\system32\igfxsrvc.exe[1152] ADVAPI32.dll!InitiateSystemShutdownA 7773DDF7 6 Bytes JMP 719E000A .text C:\Windows\system32\igfxsrvc.exe[1152] ADVAPI32.dll!InitiateSystemShutdownExA 7773DE9E 6 Bytes JMP 7198000A .text C:\Windows\system32\igfxsrvc.exe[1152] WS2_32.dll!socket 76F93EB8 6 Bytes JMP 71AE000A .text C:\Windows\system32\igfxsrvc.exe[1152] WS2_32.dll!WSALookupServiceBeginW 76F9575A 6 Bytes JMP 715E000A .text C:\Windows\system32\igfxsrvc.exe[1152] WS2_32.dll!connect 76F96BDD 6 Bytes JMP 7167000A .text C:\Windows\system32\igfxsrvc.exe[1152] WS2_32.dll!listen 76F9B001 6 Bytes JMP 7161000A .text C:\Windows\system32\igfxsrvc.exe[1152] WS2_32.dll!WSAConnect 76F9CC3F 6 Bytes JMP 7164000A .text C:\Windows\system32\igfxsrvc.exe[1152] IPHLPAPI.DLL!IcmpSendEcho2Ex 736B843C 6 Bytes JMP 718F000A .text C:\Windows\system32\igfxsrvc.exe[1152] IPHLPAPI.DLL!IcmpSendEcho2 736B873B 6 Bytes JMP 7192000A .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtAcceptConnectPort 775951E8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtAcceptConnectPort + 4 775951EC 2 Bytes [69, 71] .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtCreateFile 77595608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtCreateFile + 4 7759560C 2 Bytes [3A, 71] .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtCreateSymbolicLinkObject 77595748 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtCreateSymbolicLinkObject + 4 7759574C 2 Bytes [6C, 71] .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtDeleteValueKey 77595888 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtDeleteValueKey + 4 7759588C 2 Bytes [40, 71] .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtOpenFile 77595D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtOpenFile + 4 77595D1C 2 Bytes [37, 71] .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtOpenProcess 77595DC8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtOpenProcess + 4 77595DCC 2 Bytes [3D, 71] .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtSetContextThread 775965A8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtSetContextThread + 4 775965AC 2 Bytes [31, 71] .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtSetInformationFile 77596678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtSetInformationFile + 4 7759667C 2 Bytes [34, 71] {XOR AL, 0x71} .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtSetValueKey 77596848 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1276] ntdll.dll!NtSetValueKey + 4 7759684C 2 Bytes [43, 71] .text C:\Windows\system32\taskhost.exe[1276] KERNEL32.dll!CreateProcessW 770F204D 6 Bytes JMP 71A3000A .text C:\Windows\system32\taskhost.exe[1276] KERNEL32.dll!CreateProcessA 770F2082 6 Bytes JMP 71A6000A .text C:\Windows\system32\taskhost.exe[1276] KERNEL32.dll!LoadLibraryA 7713DD15 6 Bytes JMP 7173000A .text C:\Windows\system32\taskhost.exe[1276] KERNEL32.dll!LoadLibraryW 7713EFF2 6 Bytes JMP 7170000A .text C:\Windows\system32\taskhost.exe[1276] KERNEL32.dll!CreateProcessInternalW 77140852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1276] KERNEL32.dll!CreateProcessInternalW + 4 77140856 2 Bytes [2E, 71] .text C:\Windows\system32\taskhost.exe[1276] GDI32.dll!DeleteDC 758D6EAA 6 Bytes JMP 7179000A .text C:\Windows\system32\taskhost.exe[1276] GDI32.dll!BitBlt 758D72C0 6 Bytes JMP 7176000A .text C:\Windows\system32\taskhost.exe[1276] GDI32.dll!CreateDCA 758DCCA9 6 Bytes JMP 717F000A .text C:\Windows\system32\taskhost.exe[1276] GDI32.dll!CreateDCW 758DCF79 6 Bytes JMP 717C000A .text C:\Windows\system32\taskhost.exe[1276] USER32.dll!RegisterHotKey 769FAA19 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1276] USER32.dll!RegisterHotKey + 4 769FAA1D 2 Bytes [81, 71] .text C:\Windows\system32\taskhost.exe[1276] USER32.dll!SendMessageA 769FAD60 6 Bytes JMP 7152000A .text C:\Windows\system32\taskhost.exe[1276] USER32.dll!PostMessageA 769FB446 6 Bytes JMP 714C000A .text C:\Windows\system32\taskhost.exe[1276] USER32.dll!PostMessageW 76A0447B 6 Bytes JMP 7149000A .text C:\Windows\system32\taskhost.exe[1276] USER32.dll!SendMessageW 76A05539 6 Bytes JMP 714F000A .text C:\Windows\system32\taskhost.exe[1276] USER32.dll!mouse_event 76A16209 6 Bytes JMP 715B000A .text C:\Windows\system32\taskhost.exe[1276] USER32.dll!SendInput 76A27019 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1276] USER32.dll!SendInput + 4 76A2701D 2 Bytes [54, 71] .text C:\Windows\system32\taskhost.exe[1276] USER32.dll!ExitWindowsEx 76A406C7 6 Bytes JMP 71A0000A .text C:\Windows\system32\taskhost.exe[1276] USER32.dll!keybd_event 76A4EC3B 6 Bytes JMP 7158000A .text C:\Windows\system32\taskhost.exe[1276] USER32.dll!DdeClientTransaction 76A5323C 6 Bytes JMP 7185000A .text C:\Windows\system32\taskhost.exe[1276] advapi32.dll!CreateServiceW 777070C4 6 Bytes JMP 7188000A .text C:\Windows\system32\taskhost.exe[1276] advapi32.dll!CreateServiceA 77723264 6 Bytes JMP 718B000A .text C:\Windows\system32\taskhost.exe[1276] advapi32.dll!InitiateSystemShutdownW 7773DC55 6 Bytes JMP 719A000A .text C:\Windows\system32\taskhost.exe[1276] advapi32.dll!InitiateSystemShutdownExW 7773DD22 6 Bytes JMP 7194000A .text C:\Windows\system32\taskhost.exe[1276] advapi32.dll!InitiateSystemShutdownA 7773DDF7 6 Bytes JMP 719D000A .text C:\Windows\system32\taskhost.exe[1276] advapi32.dll!InitiateSystemShutdownExA 7773DE9E 6 Bytes JMP 7197000A .text C:\Windows\system32\taskhost.exe[1276] WS2_32.dll!socket 76F93EB8 6 Bytes JMP 71AF000A .text C:\Windows\system32\taskhost.exe[1276] WS2_32.dll!WSALookupServiceBeginW 76F9575A 6 Bytes JMP 715E000A .text C:\Windows\system32\taskhost.exe[1276] WS2_32.dll!connect 76F96BDD 6 Bytes JMP 7167000A .text C:\Windows\system32\taskhost.exe[1276] WS2_32.dll!listen 76F9B001 6 Bytes JMP 7161000A .text C:\Windows\system32\taskhost.exe[1276] WS2_32.dll!WSAConnect 76F9CC3F 6 Bytes JMP 7164000A .text C:\Windows\system32\taskhost.exe[1276] IPHLPAPI.DLL!IcmpSendEcho2Ex 736B843C 6 Bytes JMP 718E000A .text C:\Windows\system32\taskhost.exe[1276] IPHLPAPI.DLL!IcmpSendEcho2 736B873B 6 Bytes JMP 7191000A .text C:\Windows\system32\svchost.exe[1312] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1312] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\system32\svchost.exe[1312] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1312] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtCreateFile 77595608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtCreateFile + 4 7759560C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtDeleteValueKey 77595888 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtDeleteValueKey + 4 7759588C 2 Bytes [80, 71] .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtOpenFile 77595D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtOpenFile + 4 77595D1C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtOpenProcess 77595DC8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtOpenProcess + 4 77595DCC 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtSetContextThread 775965A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtSetContextThread + 4 775965AC 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtSetInformationFile 77596678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtSetInformationFile + 4 7759667C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtSetValueKey 77596848 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[1340] ntdll.dll!NtSetValueKey + 4 7759684C 2 Bytes [83, 71] .text C:\Program Files\Online Armor\oaui.exe[1340] KERNEL32.dll!CreateProcessInternalW 77140852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[1340] KERNEL32.dll!CreateProcessInternalW + 4 77140856 2 Bytes [6E, 71] .text C:\Program Files\Online Armor\oaui.exe[1340] user32.dll!LoadStringA 769F66A7 6 Bytes JMP 716C000A .text C:\Program Files\Online Armor\oaui.exe[1340] user32.dll!SendMessageA 769FAD60 6 Bytes JMP 7196000A .text C:\Program Files\Online Armor\oaui.exe[1340] user32.dll!PostMessageA 769FB446 6 Bytes JMP 7190000A .text C:\Program Files\Online Armor\oaui.exe[1340] user32.dll!LoadStringW 769FDFBA 6 Bytes JMP 7168000A .text C:\Program Files\Online Armor\oaui.exe[1340] user32.dll!PostMessageW 76A0447B 6 Bytes JMP 718D000A .text C:\Program Files\Online Armor\oaui.exe[1340] user32.dll!SendMessageW 76A05539 6 Bytes JMP 7193000A .text C:\Program Files\Online Armor\oaui.exe[1340] user32.dll!mouse_event 76A16209 6 Bytes JMP 719F000A .text C:\Program Files\Online Armor\oaui.exe[1340] user32.dll!SendInput 76A27019 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\oaui.exe[1340] user32.dll!SendInput + 4 76A2701D 2 Bytes [98, 71] .text C:\Program Files\Online Armor\oaui.exe[1340] user32.dll!keybd_event 76A4EC3B 6 Bytes JMP 719C000A .text C:\Program Files\Online Armor\oaui.exe[1340] advapi32.dll!CreateServiceW 777070C4 6 Bytes JMP 7187000A .text C:\Program Files\Online Armor\oaui.exe[1340] advapi32.dll!CreateServiceA 77723264 6 Bytes JMP 718A000A .text C:\Program Files\Online Armor\oaui.exe[1340] WS2_32.dll!WSALookupServiceBeginW 76F9575A 6 Bytes JMP 71A2000A .text C:\Program Files\Online Armor\oaui.exe[1340] WS2_32.dll!connect 76F96BDD 6 Bytes JMP 71AB000A .text C:\Program Files\Online Armor\oaui.exe[1340] WS2_32.dll!listen 76F9B001 6 Bytes JMP 71A5000A .text C:\Program Files\Online Armor\oaui.exe[1340] WS2_32.dll!WSAConnect 76F9CC3F 6 Bytes JMP 71A8000A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1400] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1400] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1400] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1400] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\spoolsv.exe[1428] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\spoolsv.exe[1428] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\System32\spoolsv.exe[1428] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\spoolsv.exe[1428] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtAcceptConnectPort 775951E8 3 Bytes [FF, 25, 1E] .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtAcceptConnectPort + 4 775951EC 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtCreateFile 77595608 3 Bytes [FF, 25, 1E] .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtCreateFile + 4 7759560C 2 Bytes [3A, 71] .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtCreateSymbolicLinkObject 77595748 3 Bytes [FF, 25, 1E] .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtCreateSymbolicLinkObject + 4 7759574C 2 Bytes [6D, 71] .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtDeleteValueKey 77595888 3 Bytes [FF, 25, 1E] .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtDeleteValueKey + 4 7759588C 2 Bytes [40, 71] .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtOpenFile 77595D18 3 Bytes [FF, 25, 1E] .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtOpenFile + 4 77595D1C 2 Bytes [37, 71] .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtOpenProcess 77595DC8 3 Bytes [FF, 25, 1E] .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtOpenProcess + 4 77595DCC 2 Bytes [3D, 71] .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtSetContextThread 775965A8 3 Bytes [FF, 25, 1E] .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtSetContextThread + 4 775965AC 2 Bytes [31, 71] .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtSetInformationFile 77596678 3 Bytes [FF, 25, 1E] .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtSetInformationFile + 4 7759667C 2 Bytes [34, 71] {XOR AL, 0x71} .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtSetValueKey 77596848 3 Bytes [FF, 25, 1E] .text C:\Users\I\Downloads\9u98ubto.exe[1452] ntdll.dll!NtSetValueKey + 4 7759684C 2 Bytes [43, 71] .text C:\Users\I\Downloads\9u98ubto.exe[1452] KERNEL32.dll!CreateProcessW 770F204D 6 Bytes JMP 71A4000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] KERNEL32.dll!CreateProcessA 770F2082 6 Bytes JMP 71A7000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] KERNEL32.dll!LoadLibraryA 7713DD15 6 Bytes JMP 7174000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] KERNEL32.dll!LoadLibraryW 7713EFF2 6 Bytes JMP 7171000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] KERNEL32.dll!CreateProcessInternalW 77140852 3 Bytes [FF, 25, 1E] .text C:\Users\I\Downloads\9u98ubto.exe[1452] KERNEL32.dll!CreateProcessInternalW + 4 77140856 2 Bytes [2E, 71] .text C:\Users\I\Downloads\9u98ubto.exe[1452] user32.dll!RegisterHotKey 769FAA19 3 Bytes [FF, 25, 1E] .text C:\Users\I\Downloads\9u98ubto.exe[1452] user32.dll!RegisterHotKey + 4 769FAA1D 2 Bytes [82, 71] .text C:\Users\I\Downloads\9u98ubto.exe[1452] user32.dll!SendMessageA 769FAD60 6 Bytes JMP 7152000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] user32.dll!PostMessageA 769FB446 6 Bytes JMP 714C000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] user32.dll!PostMessageW 76A0447B 6 Bytes JMP 7149000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] user32.dll!SendMessageW 76A05539 6 Bytes JMP 714F000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] user32.dll!mouse_event 76A16209 6 Bytes JMP 715B000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] user32.dll!SendInput 76A27019 3 Bytes [FF, 25, 1E] .text C:\Users\I\Downloads\9u98ubto.exe[1452] user32.dll!SendInput + 4 76A2701D 2 Bytes [54, 71] .text C:\Users\I\Downloads\9u98ubto.exe[1452] user32.dll!ExitWindowsEx 76A406C7 6 Bytes JMP 71A1000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] user32.dll!keybd_event 76A4EC3B 6 Bytes JMP 7158000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] user32.dll!DdeClientTransaction 76A5323C 6 Bytes JMP 7186000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] GDI32.dll!DeleteDC 758D6EAA 6 Bytes JMP 717A000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] GDI32.dll!BitBlt 758D72C0 6 Bytes JMP 7177000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] GDI32.dll!CreateDCA 758DCCA9 6 Bytes JMP 7180000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] GDI32.dll!CreateDCW 758DCF79 6 Bytes JMP 717D000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] advapi32.dll!CreateServiceW 777070C4 6 Bytes JMP 7189000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] advapi32.dll!CreateServiceA 77723264 6 Bytes JMP 718C000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] advapi32.dll!InitiateSystemShutdownW 7773DC55 6 Bytes JMP 719B000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] advapi32.dll!InitiateSystemShutdownExW 7773DD22 6 Bytes JMP 7195000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] advapi32.dll!InitiateSystemShutdownA 7773DDF7 6 Bytes JMP 719E000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] advapi32.dll!InitiateSystemShutdownExA 7773DE9E 6 Bytes JMP 7198000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] WS2_32.dll!ioctlsocket 76F93084 6 Bytes JMP 7110000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] WS2_32.dll!sendto 76F934B5 6 Bytes JMP 7122000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] WS2_32.dll!closesocket 76F93918 6 Bytes JMP 712C000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] WS2_32.dll!socket 76F93EB8 6 Bytes JMP 71AE000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] WS2_32.dll!WSASend 76F94406 6 Bytes JMP 7101000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] WS2_32.dll!WSALookupServiceBeginW 76F9575A 6 Bytes JMP 715E000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] WS2_32.dll!select 76F96989 6 Bytes JMP 7113000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] WS2_32.dll!recv 76F96B0E 6 Bytes JMP 7108000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] WS2_32.dll!connect 76F96BDD 6 Bytes JMP 7167000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] WS2_32.dll!send 76F96F01 6 Bytes JMP 7125000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] WS2_32.dll!WSARecv 76F97089 6 Bytes JMP 7104000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] WS2_32.dll!WSAGetOverlappedResult 76F97489 6 Bytes JMP 70FB000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] WS2_32.dll!listen 76F9B001 6 Bytes JMP 7161000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] WS2_32.dll!WSAConnect 76F9CC3F 6 Bytes JMP 7164000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] WS2_32.dll!WSAAsyncSelect 76FAB014 6 Bytes JMP 710D000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] IPHLPAPI.DLL!IcmpSendEcho2Ex 736B843C 6 Bytes JMP 718F000A .text C:\Users\I\Downloads\9u98ubto.exe[1452] IPHLPAPI.DLL!IcmpSendEcho2 736B873B 6 Bytes JMP 7192000A .text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1496] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1496] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1496] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1496] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtAcceptConnectPort 775951E8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtAcceptConnectPort + 4 775951EC 2 Bytes [2E, 71] .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtCreateFile 77595608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtCreateFile + 4 7759560C 2 Bytes [86, 71] .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtCreateSymbolicLinkObject 77595748 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtCreateSymbolicLinkObject + 4 7759574C 2 Bytes [31, 71] .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtDeleteValueKey 77595888 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtDeleteValueKey + 4 7759588C 2 Bytes [8C, 71] .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtOpenFile 77595D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtOpenFile + 4 77595D1C 2 Bytes [83, 71] .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtOpenProcess 77595DC8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtOpenProcess + 4 77595DCC 2 Bytes [89, 71] .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtSetContextThread 775965A8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtSetContextThread + 4 775965AC 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtSetInformationFile 77596678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtSetInformationFile + 4 7759667C 2 Bytes [80, 71] .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtSetValueKey 77596848 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1548] ntdll.dll!NtSetValueKey + 4 7759684C 2 Bytes [8F, 71] .text C:\Windows\system32\Dwm.exe[1548] KERNEL32.dll!CreateProcessW 770F204D 6 Bytes JMP 7164000A .text C:\Windows\system32\Dwm.exe[1548] KERNEL32.dll!CreateProcessA 770F2082 6 Bytes JMP 7167000A .text C:\Windows\system32\Dwm.exe[1548] KERNEL32.dll!LoadLibraryA 7713DD15 6 Bytes JMP 7138000A .text C:\Windows\system32\Dwm.exe[1548] KERNEL32.dll!LoadLibraryW 7713EFF2 6 Bytes JMP 7135000A .text C:\Windows\system32\Dwm.exe[1548] KERNEL32.dll!CreateProcessInternalW 77140852 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1548] KERNEL32.dll!CreateProcessInternalW + 4 77140856 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\Dwm.exe[1548] GDI32.dll!DeleteDC 758D6EAA 6 Bytes JMP 713E000A .text C:\Windows\system32\Dwm.exe[1548] GDI32.dll!BitBlt 758D72C0 6 Bytes JMP 713B000A .text C:\Windows\system32\Dwm.exe[1548] GDI32.dll!CreateDCA 758DCCA9 6 Bytes JMP 7144000A .text C:\Windows\system32\Dwm.exe[1548] GDI32.dll!CreateDCW 758DCF79 6 Bytes JMP 7141000A .text C:\Windows\system32\Dwm.exe[1548] USER32.dll!RegisterHotKey 769FAA19 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1548] USER32.dll!RegisterHotKey + 4 769FAA1D 2 Bytes [46, 71] .text C:\Windows\system32\Dwm.exe[1548] USER32.dll!SendMessageA 769FAD60 6 Bytes JMP 71A2000A .text C:\Windows\system32\Dwm.exe[1548] USER32.dll!PostMessageA 769FB446 6 Bytes JMP 719C000A .text C:\Windows\system32\Dwm.exe[1548] USER32.dll!PostMessageW 76A0447B 6 Bytes JMP 7199000A .text C:\Windows\system32\Dwm.exe[1548] USER32.dll!SendMessageW 76A05539 6 Bytes JMP 719F000A .text C:\Windows\system32\Dwm.exe[1548] USER32.dll!mouse_event 76A16209 6 Bytes JMP 71AB000A .text C:\Windows\system32\Dwm.exe[1548] USER32.dll!SendInput 76A27019 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1548] USER32.dll!SendInput + 4 76A2701D 2 Bytes [A4, 71] .text C:\Windows\system32\Dwm.exe[1548] USER32.dll!ExitWindowsEx 76A406C7 6 Bytes JMP 7161000A .text C:\Windows\system32\Dwm.exe[1548] USER32.dll!keybd_event 76A4EC3B 6 Bytes JMP 71A8000A .text C:\Windows\system32\Dwm.exe[1548] USER32.dll!DdeClientTransaction 76A5323C 6 Bytes JMP 714A000A .text C:\Windows\system32\Dwm.exe[1548] ADVAPI32.dll!CreateServiceW 777070C4 6 Bytes JMP 7193000A .text C:\Windows\system32\Dwm.exe[1548] ADVAPI32.dll!CreateServiceA 77723264 6 Bytes JMP 7196000A .text C:\Windows\system32\Dwm.exe[1548] ADVAPI32.dll!InitiateSystemShutdownW 7773DC55 6 Bytes JMP 715B000A .text C:\Windows\system32\Dwm.exe[1548] ADVAPI32.dll!InitiateSystemShutdownExW 7773DD22 6 Bytes JMP 7155000A .text C:\Windows\system32\Dwm.exe[1548] ADVAPI32.dll!InitiateSystemShutdownA 7773DDF7 6 Bytes JMP 715E000A .text C:\Windows\system32\Dwm.exe[1548] ADVAPI32.dll!InitiateSystemShutdownExA 7773DE9E 6 Bytes JMP 7158000A .text C:\Windows\system32\Dwm.exe[1548] WS2_32.dll!socket 76F93EB8 6 Bytes JMP 716B000A .text C:\Windows\system32\Dwm.exe[1548] WS2_32.dll!WSALookupServiceBeginW 76F9575A 6 Bytes JMP 716E000A .text C:\Windows\system32\Dwm.exe[1548] WS2_32.dll!connect 76F96BDD 6 Bytes JMP 7177000A .text C:\Windows\system32\Dwm.exe[1548] WS2_32.dll!listen 76F9B001 6 Bytes JMP 7171000A .text C:\Windows\system32\Dwm.exe[1548] WS2_32.dll!WSAConnect 76F9CC3F 6 Bytes JMP 7174000A .text C:\Windows\system32\Dwm.exe[1548] IPHLPAPI.DLL!IcmpSendEcho2Ex 736B843C 6 Bytes JMP 714F000A .text C:\Windows\system32\Dwm.exe[1548] IPHLPAPI.DLL!IcmpSendEcho2 736B873B 6 Bytes JMP 7152000A .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtAcceptConnectPort 775951E8 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtAcceptConnectPort + 4 775951EC 2 Bytes [25, 71] .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtCreateFile 77595608 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtCreateFile + 4 7759560C 2 Bytes [86, 71] .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtCreateSymbolicLinkObject 77595748 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtCreateSymbolicLinkObject + 4 7759574C 2 Bytes [28, 71] .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtDeleteValueKey 77595888 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtDeleteValueKey + 4 7759588C 2 Bytes [8C, 71] .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtOpenFile 77595D18 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtOpenFile + 4 77595D1C 2 Bytes [83, 71] .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtOpenProcess 77595DC8 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtOpenProcess + 4 77595DCC 2 Bytes [89, 71] .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtSetContextThread 775965A8 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtSetContextThread + 4 775965AC 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtSetInformationFile 77596678 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtSetInformationFile + 4 7759667C 2 Bytes [80, 71] .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtSetValueKey 77596848 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1560] ntdll.dll!NtSetValueKey + 4 7759684C 2 Bytes [8F, 71] .text C:\Windows\Explorer.EXE[1560] KERNEL32.dll!CreateProcessW 770F204D 6 Bytes JMP 715B000A .text C:\Windows\Explorer.EXE[1560] KERNEL32.dll!CreateProcessA 770F2082 6 Bytes JMP 715E000A .text C:\Windows\Explorer.EXE[1560] KERNEL32.dll!LoadLibraryA 7713DD15 6 Bytes JMP 712F000A .text C:\Windows\Explorer.EXE[1560] KERNEL32.dll!LoadLibraryW 7713EFF2 6 Bytes JMP 712C000A .text C:\Windows\Explorer.EXE[1560] KERNEL32.dll!CreateProcessInternalW 77140852 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1560] KERNEL32.dll!CreateProcessInternalW + 4 77140856 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\Explorer.EXE[1560] ADVAPI32.dll!CreateServiceW 777070C4 6 Bytes JMP 7193000A .text C:\Windows\Explorer.EXE[1560] ADVAPI32.dll!CreateServiceA 77723264 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[1560] ADVAPI32.dll!InitiateSystemShutdownW 7773DC55 6 Bytes JMP 7152000A .text C:\Windows\Explorer.EXE[1560] ADVAPI32.dll!InitiateSystemShutdownExW 7773DD22 6 Bytes JMP 714C000A .text C:\Windows\Explorer.EXE[1560] ADVAPI32.dll!InitiateSystemShutdownA 7773DDF7 6 Bytes JMP 7155000A .text C:\Windows\Explorer.EXE[1560] ADVAPI32.dll!InitiateSystemShutdownExA 7773DE9E 6 Bytes JMP 714F000A .text C:\Windows\Explorer.EXE[1560] GDI32.dll!DeleteDC 758D6EAA 6 Bytes JMP 7135000A .text C:\Windows\Explorer.EXE[1560] GDI32.dll!BitBlt 758D72C0 6 Bytes JMP 7132000A .text C:\Windows\Explorer.EXE[1560] GDI32.dll!CreateDCA 758DCCA9 6 Bytes JMP 713B000A .text C:\Windows\Explorer.EXE[1560] GDI32.dll!CreateDCW 758DCF79 6 Bytes JMP 7138000A .text C:\Windows\Explorer.EXE[1560] USER32.dll!RegisterHotKey 769FAA19 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1560] USER32.dll!RegisterHotKey + 4 769FAA1D 2 Bytes [3D, 71] .text C:\Windows\Explorer.EXE[1560] USER32.dll!SendMessageA 769FAD60 6 Bytes JMP 71A2000A .text C:\Windows\Explorer.EXE[1560] USER32.dll!PostMessageA 769FB446 6 Bytes JMP 719C000A .text C:\Windows\Explorer.EXE[1560] USER32.dll!PostMessageW 76A0447B 6 Bytes JMP 7199000A .text C:\Windows\Explorer.EXE[1560] USER32.dll!SendMessageW 76A05539 6 Bytes JMP 719F000A .text C:\Windows\Explorer.EXE[1560] USER32.dll!mouse_event 76A16209 6 Bytes JMP 71AB000A .text C:\Windows\Explorer.EXE[1560] USER32.dll!SendInput 76A27019 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1560] USER32.dll!SendInput + 4 76A2701D 2 Bytes [A4, 71] .text C:\Windows\Explorer.EXE[1560] USER32.dll!ExitWindowsEx 76A406C7 6 Bytes JMP 7158000A .text C:\Windows\Explorer.EXE[1560] USER32.dll!keybd_event 76A4EC3B 6 Bytes JMP 71A8000A .text C:\Windows\Explorer.EXE[1560] USER32.dll!DdeClientTransaction 76A5323C 6 Bytes JMP 7141000A .text C:\Windows\Explorer.EXE[1560] WS2_32.dll!socket 76F93EB8 6 Bytes JMP 7162000A .text C:\Windows\Explorer.EXE[1560] WS2_32.dll!WSALookupServiceBeginW 76F9575A 6 Bytes JMP 7165000A .text C:\Windows\Explorer.EXE[1560] WS2_32.dll!connect 76F96BDD 6 Bytes JMP 716E000A .text C:\Windows\Explorer.EXE[1560] WS2_32.dll!listen 76F9B001 6 Bytes JMP 7168000A .text C:\Windows\Explorer.EXE[1560] WS2_32.dll!WSAConnect 76F9CC3F 6 Bytes JMP 716B000A .text C:\Windows\Explorer.EXE[1560] IPHLPAPI.DLL!IcmpSendEcho2Ex 736B843C 6 Bytes JMP 7146000A .text C:\Windows\Explorer.EXE[1560] IPHLPAPI.DLL!IcmpSendEcho2 736B873B 6 Bytes JMP 7149000A .text C:\Windows\System32\svchost.exe[1764] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1764] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\System32\svchost.exe[1764] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1764] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1876] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\OAcat.exe[1920] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\OAcat.exe[1920] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Program Files\Online Armor\OAcat.exe[1920] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\OAcat.exe[1920] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe[1928] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe[1928] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe[1928] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe[1928] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\oasrv.exe[1980] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\oasrv.exe[1980] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Program Files\Online Armor\oasrv.exe[1980] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\oasrv.exe[1980] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\oasrv.exe[1980] user32.dll!LoadStringA 769F66A7 6 Bytes JMP 71AF000A .text C:\Program Files\Online Armor\oasrv.exe[1980] user32.dll!LoadStringW 769FDFBA 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe[2160] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe[2160] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe[2160] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe[2160] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] ntdll.dll!NtAcceptConnectPort 775951E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] ntdll.dll!NtAcceptConnectPort + 4 775951EC 2 Bytes [61, 71] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] ntdll.dll!NtCreateSymbolicLinkObject 77595748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] ntdll.dll!NtCreateSymbolicLinkObject + 4 7759574C 2 Bytes [64, 71] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] KERNEL32.dll!CreateProcessW 770F204D 6 Bytes JMP 71A3001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] KERNEL32.dll!CreateProcessA 770F2082 6 Bytes JMP 71A6001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] KERNEL32.dll!LoadLibraryA 7713DD15 6 Bytes JMP 716A001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] KERNEL32.dll!LoadLibraryW 7713EFF2 6 Bytes JMP 7167001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] GDI32.dll!DeleteDC 758D6EAA 6 Bytes JMP 7179001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] GDI32.dll!BitBlt 758D72C0 6 Bytes JMP 7176001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] GDI32.dll!CreateDCA 758DCCA9 6 Bytes JMP 717F001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] GDI32.dll!CreateDCW 758DCF79 6 Bytes JMP 717C001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] USER32.dll!RegisterHotKey 769FAA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] USER32.dll!RegisterHotKey + 4 769FAA1D 2 Bytes [82, 71] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] USER32.dll!ExitWindowsEx 76A406C7 6 Bytes JMP 71A0001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] USER32.dll!DdeClientTransaction 76A5323C 6 Bytes JMP 7185001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] advapi32.dll!CreateServiceW 777070C4 6 Bytes JMP 7188001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] advapi32.dll!CreateServiceA 77723264 6 Bytes JMP 718B001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] advapi32.dll!InitiateSystemShutdownW 7773DC55 6 Bytes JMP 719A001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] advapi32.dll!InitiateSystemShutdownExW 7773DD22 6 Bytes JMP 7194001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] advapi32.dll!InitiateSystemShutdownA 7773DDF7 6 Bytes JMP 719D001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] advapi32.dll!InitiateSystemShutdownExA 7773DE9E 6 Bytes JMP 7197001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] WS2_32.dll!socket 76F93EB8 6 Bytes JMP 71AD001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] IPHLPAPI.DLL!IcmpSendEcho2Ex 736B843C 6 Bytes JMP 718E001E .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[2356] IPHLPAPI.DLL!IcmpSendEcho2 736B873B 6 Bytes JMP 7191001E .text C:\Windows\system32\svchost.exe[2376] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[2376] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\system32\svchost.exe[2376] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[2376] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\HWDeviceService.exe[2464] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\HWDeviceService.exe[2464] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\ProgramData\DatacardService\HWDeviceService.exe[2464] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\HWDeviceService.exe[2464] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtAcceptConnectPort 775951E8 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtAcceptConnectPort + 4 775951EC 2 Bytes [61, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtCreateFile 77595608 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtCreateFile + 4 7759560C 2 Bytes [2D, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtCreateSymbolicLinkObject 77595748 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtCreateSymbolicLinkObject + 4 7759574C 2 Bytes [64, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtDeleteValueKey 77595888 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtDeleteValueKey + 4 7759588C 2 Bytes [33, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtOpenFile 77595D18 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtOpenFile + 4 77595D1C 2 Bytes [2A, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtOpenProcess 77595DC8 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtOpenProcess + 4 77595DCC 2 Bytes [30, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtSetContextThread 775965A8 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtSetContextThread + 4 775965AC 2 Bytes [24, 71] {AND AL, 0x71} .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtSetInformationFile 77596678 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtSetInformationFile + 4 7759667C 2 Bytes [27, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtSetValueKey 77596848 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ntdll.dll!NtSetValueKey + 4 7759684C 2 Bytes [36, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] KERNEL32.dll!CreateProcessW 770F204D 6 Bytes JMP 71A4000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] KERNEL32.dll!CreateProcessA 770F2082 6 Bytes JMP 71A7000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] KERNEL32.dll!LoadLibraryA 7713DD15 6 Bytes JMP 716B000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] KERNEL32.dll!LoadLibraryW 7713EFF2 6 Bytes JMP 7168000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] KERNEL32.dll!CreateProcessInternalW 77140852 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] KERNEL32.dll!CreateProcessInternalW + 4 77140856 2 Bytes [21, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] USER32.dll!RegisterHotKey 769FAA19 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] USER32.dll!RegisterHotKey + 4 769FAA1D 2 Bytes [82, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] USER32.dll!SendMessageA 769FAD60 6 Bytes JMP 7145000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] USER32.dll!PostMessageA 769FB446 6 Bytes JMP 713F000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] USER32.dll!PostMessageW 76A0447B 6 Bytes JMP 713C000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] USER32.dll!SendMessageW 76A05539 6 Bytes JMP 7142000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] USER32.dll!mouse_event 76A16209 6 Bytes JMP 714E000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] USER32.dll!SendInput 76A27019 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] USER32.dll!SendInput + 4 76A2701D 2 Bytes [47, 71] .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] USER32.dll!ExitWindowsEx 76A406C7 6 Bytes JMP 71A1000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] USER32.dll!keybd_event 76A4EC3B 6 Bytes JMP 714B000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] USER32.dll!DdeClientTransaction 76A5323C 6 Bytes JMP 7186000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] GDI32.dll!DeleteDC 758D6EAA 6 Bytes JMP 717A000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] GDI32.dll!BitBlt 758D72C0 6 Bytes JMP 7177000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] GDI32.dll!CreateDCA 758DCCA9 6 Bytes JMP 7180000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] GDI32.dll!CreateDCW 758DCF79 6 Bytes JMP 717D000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ADVAPI32.dll!CreateServiceW 777070C4 6 Bytes JMP 7189000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ADVAPI32.dll!CreateServiceA 77723264 6 Bytes JMP 718C000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ADVAPI32.dll!InitiateSystemShutdownW 7773DC55 6 Bytes JMP 719B000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ADVAPI32.dll!InitiateSystemShutdownExW 7773DD22 6 Bytes JMP 7195000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ADVAPI32.dll!InitiateSystemShutdownA 7773DDF7 6 Bytes JMP 719E000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] ADVAPI32.dll!InitiateSystemShutdownExA 7773DE9E 6 Bytes JMP 7198000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] WS2_32.dll!socket 76F93EB8 6 Bytes JMP 71AE000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] WS2_32.dll!WSALookupServiceBeginW 76F9575A 6 Bytes JMP 7151000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] WS2_32.dll!connect 76F96BDD 6 Bytes JMP 715A000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] WS2_32.dll!listen 76F9B001 6 Bytes JMP 7154000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] WS2_32.dll!WSAConnect 76F9CC3F 6 Bytes JMP 7157000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] IPHLPAPI.DLL!IcmpSendEcho2Ex 736B843C 6 Bytes JMP 718F000A .text C:\ProgramData\DatacardService\DCSHelper.exe[2660] IPHLPAPI.DLL!IcmpSendEcho2 736B873B 6 Bytes JMP 7192000A .text C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe[2920] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe[2920] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe[2920] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe[2920] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Winreview.ru\Personalization Panel DWM Controller\persdwmsrv.exe[2984] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Winreview.ru\Personalization Panel DWM Controller\persdwmsrv.exe[2984] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Program Files\Winreview.ru\Personalization Panel DWM Controller\persdwmsrv.exe[2984] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Winreview.ru\Personalization Panel DWM Controller\persdwmsrv.exe[2984] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtAcceptConnectPort 775951E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtAcceptConnectPort + 4 775951EC 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtCreateFile 77595608 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtCreateFile + 4 7759560C 2 Bytes [3A, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtCreateSymbolicLinkObject 77595748 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtCreateSymbolicLinkObject + 4 7759574C 2 Bytes [6D, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtDeleteValueKey 77595888 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtDeleteValueKey + 4 7759588C 2 Bytes [40, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtOpenFile 77595D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtOpenFile + 4 77595D1C 2 Bytes [37, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtOpenProcess 77595DC8 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtOpenProcess + 4 77595DCC 2 Bytes [3D, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtSetContextThread 775965A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtSetContextThread + 4 775965AC 2 Bytes [31, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtSetInformationFile 77596678 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtSetInformationFile + 4 7759667C 2 Bytes [34, 71] {XOR AL, 0x71} .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtSetValueKey 77596848 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ntdll.dll!NtSetValueKey + 4 7759684C 2 Bytes [43, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] KERNEL32.dll!CreateProcessW 770F204D 6 Bytes JMP 71A4000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] KERNEL32.dll!CreateProcessA 770F2082 6 Bytes JMP 71A7000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] KERNEL32.dll!LoadLibraryA 7713DD15 6 Bytes JMP 7174000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] KERNEL32.dll!LoadLibraryW 7713EFF2 6 Bytes JMP 7171000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] KERNEL32.dll!CreateProcessInternalW 77140852 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] KERNEL32.dll!CreateProcessInternalW + 4 77140856 2 Bytes [2E, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] USER32.dll!RegisterHotKey 769FAA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] USER32.dll!RegisterHotKey + 4 769FAA1D 2 Bytes [82, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] USER32.dll!SendMessageA 769FAD60 6 Bytes JMP 7152000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] USER32.dll!PostMessageA 769FB446 6 Bytes JMP 714C000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] USER32.dll!PostMessageW 76A0447B 6 Bytes JMP 7149000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] USER32.dll!SendMessageW 76A05539 6 Bytes JMP 714F000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] USER32.dll!mouse_event 76A16209 6 Bytes JMP 715B000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] USER32.dll!SendInput 76A27019 3 Bytes [FF, 25, 1E] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] USER32.dll!SendInput + 4 76A2701D 2 Bytes [54, 71] .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] USER32.dll!ExitWindowsEx 76A406C7 6 Bytes JMP 71A1000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] USER32.dll!keybd_event 76A4EC3B 6 Bytes JMP 7158000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] USER32.dll!DdeClientTransaction 76A5323C 6 Bytes JMP 7186000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] GDI32.dll!DeleteDC 758D6EAA 6 Bytes JMP 717A000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] GDI32.dll!BitBlt 758D72C0 6 Bytes JMP 7177000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] GDI32.dll!CreateDCA 758DCCA9 6 Bytes JMP 7180000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] GDI32.dll!CreateDCW 758DCF79 6 Bytes JMP 717D000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ADVAPI32.dll!CreateServiceW 777070C4 6 Bytes JMP 7189000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ADVAPI32.dll!CreateServiceA 77723264 6 Bytes JMP 718C000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ADVAPI32.dll!InitiateSystemShutdownW 7773DC55 6 Bytes JMP 719B000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ADVAPI32.dll!InitiateSystemShutdownExW 7773DD22 6 Bytes JMP 7195000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ADVAPI32.dll!InitiateSystemShutdownA 7773DDF7 6 Bytes JMP 719E000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] ADVAPI32.dll!InitiateSystemShutdownExA 7773DE9E 6 Bytes JMP 7198000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] WS2_32.dll!ioctlsocket 76F93084 6 Bytes JMP 7119000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] WS2_32.dll!sendto 76F934B5 6 Bytes JMP 711F000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] WS2_32.dll!closesocket 76F93918 6 Bytes JMP 712C000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] WS2_32.dll!socket 76F93EB8 6 Bytes JMP 71AE000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] WS2_32.dll!WSASend 76F94406 6 Bytes JMP 7107000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] WS2_32.dll!WSALookupServiceBeginW 76F9575A 6 Bytes JMP 715E000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] WS2_32.dll!select 76F96989 6 Bytes JMP 711C000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] WS2_32.dll!recv 76F96B0E 6 Bytes JMP 710E000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] WS2_32.dll!connect 76F96BDD 6 Bytes JMP 7167000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] WS2_32.dll!send 76F96F01 6 Bytes JMP 7122000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] WS2_32.dll!WSARecv 76F97089 6 Bytes JMP 710A000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] WS2_32.dll!WSAGetOverlappedResult 76F97489 6 Bytes JMP 7101000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] WS2_32.dll!listen 76F9B001 6 Bytes JMP 7161000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] WS2_32.dll!WSAConnect 76F9CC3F 6 Bytes JMP 7164000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] WS2_32.dll!WSAAsyncSelect 76FAB014 6 Bytes JMP 7113000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] IPHLPAPI.DLL!IcmpSendEcho2Ex 736B843C 6 Bytes JMP 718F000A .text C:\Program Files\KeyScrambler\KeyScrambler.exe[3020] IPHLPAPI.DLL!IcmpSendEcho2 736B873B 6 Bytes JMP 7192000A .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\LiveTunerService.exe[3112] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\LiveTunerService.exe[3112] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\LiveTunerService.exe[3112] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Ashampoo\Ashampoo WinOptimizer 10\LiveTunerService.exe[3112] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\CyberGhost 5\Service.exe[3396] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\CyberGhost 5\Service.exe[3396] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Program Files\CyberGhost 5\Service.exe[3396] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\CyberGhost 5\Service.exe[3396] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\SearchIndexer.exe[3548] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\SearchIndexer.exe[3548] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\system32\SearchIndexer.exe[3548] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\SearchIndexer.exe[3548] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtCreateFile 77595608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtCreateFile + 4 7759560C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtDeleteValueKey 77595888 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtDeleteValueKey + 4 7759588C 2 Bytes [80, 71] .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtOpenFile 77595D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtOpenFile + 4 77595D1C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtOpenProcess 77595DC8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtOpenProcess + 4 77595DCC 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtSetContextThread 775965A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtSetContextThread + 4 775965AC 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtSetInformationFile 77596678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtSetInformationFile + 4 7759667C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtSetValueKey 77596848 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[3584] ntdll.dll!NtSetValueKey + 4 7759684C 2 Bytes [83, 71] .text C:\Program Files\Online Armor\OAhlp.exe[3584] KERNEL32.dll!CreateProcessInternalW 77140852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[3584] KERNEL32.dll!CreateProcessInternalW + 4 77140856 2 Bytes [6E, 71] .text C:\Program Files\Online Armor\OAhlp.exe[3584] user32.dll!LoadStringA 769F66A7 6 Bytes JMP 716C000A .text C:\Program Files\Online Armor\OAhlp.exe[3584] user32.dll!SendMessageA 769FAD60 6 Bytes JMP 7196000A .text C:\Program Files\Online Armor\OAhlp.exe[3584] user32.dll!PostMessageA 769FB446 6 Bytes JMP 7190000A .text C:\Program Files\Online Armor\OAhlp.exe[3584] user32.dll!LoadStringW 769FDFBA 6 Bytes JMP 7168000A .text C:\Program Files\Online Armor\OAhlp.exe[3584] user32.dll!PostMessageW 76A0447B 6 Bytes JMP 718D000A .text C:\Program Files\Online Armor\OAhlp.exe[3584] user32.dll!SendMessageW 76A05539 6 Bytes JMP 7193000A .text C:\Program Files\Online Armor\OAhlp.exe[3584] user32.dll!mouse_event 76A16209 6 Bytes JMP 719F000A .text C:\Program Files\Online Armor\OAhlp.exe[3584] user32.dll!SendInput 76A27019 3 Bytes [FF, 25, 1E] .text C:\Program Files\Online Armor\OAhlp.exe[3584] user32.dll!SendInput + 4 76A2701D 2 Bytes [98, 71] .text C:\Program Files\Online Armor\OAhlp.exe[3584] user32.dll!keybd_event 76A4EC3B 6 Bytes JMP 719C000A .text C:\Program Files\Online Armor\OAhlp.exe[3584] advapi32.dll!CreateServiceW 777070C4 6 Bytes JMP 7187000A .text C:\Program Files\Online Armor\OAhlp.exe[3584] advapi32.dll!CreateServiceA 77723264 6 Bytes JMP 718A000A .text C:\Program Files\Online Armor\OAhlp.exe[3584] WS2_32.dll!WSALookupServiceBeginW 76F9575A 6 Bytes JMP 71A2000A .text C:\Program Files\Online Armor\OAhlp.exe[3584] WS2_32.dll!connect 76F96BDD 6 Bytes JMP 71AB000A .text C:\Program Files\Online Armor\OAhlp.exe[3584] WS2_32.dll!listen 76F9B001 6 Bytes JMP 71A5000A .text C:\Program Files\Online Armor\OAhlp.exe[3584] WS2_32.dll!WSAConnect 76F9CC3F 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[3708] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[3708] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Windows\system32\svchost.exe[3708] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[3708] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtAcceptConnectPort 775951E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtAcceptConnectPort + 4 775951EC 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtCreateFile 77595608 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtCreateFile + 4 7759560C 2 Bytes [3A, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtCreateSymbolicLinkObject 77595748 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtCreateSymbolicLinkObject + 4 7759574C 2 Bytes [6D, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtDeleteValueKey 77595888 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtDeleteValueKey + 4 7759588C 2 Bytes [40, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtOpenFile 77595D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtOpenFile + 4 77595D1C 2 Bytes [37, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtOpenProcess 77595DC8 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtOpenProcess + 4 77595DCC 2 Bytes [3D, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtSetContextThread 775965A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtSetContextThread + 4 775965AC 2 Bytes [31, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtSetInformationFile 77596678 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtSetInformationFile + 4 7759667C 2 Bytes [34, 71] {XOR AL, 0x71} .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtSetValueKey 77596848 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] ntdll.dll!NtSetValueKey + 4 7759684C 2 Bytes [43, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] KERNEL32.dll!CreateProcessW 770F204D 6 Bytes JMP 71A4000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] KERNEL32.dll!CreateProcessA 770F2082 6 Bytes JMP 71A7000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] KERNEL32.dll!LoadLibraryA 7713DD15 6 Bytes JMP 7174000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] KERNEL32.dll!LoadLibraryW 7713EFF2 6 Bytes JMP 7171000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] KERNEL32.dll!CreateProcessInternalW 77140852 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] KERNEL32.dll!CreateProcessInternalW + 4 77140856 2 Bytes [2E, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] advapi32.dll!CreateServiceW 777070C4 6 Bytes JMP 7189000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] advapi32.dll!CreateServiceA 77723264 6 Bytes JMP 718C000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] advapi32.dll!InitiateSystemShutdownW 7773DC55 6 Bytes JMP 719B000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] advapi32.dll!InitiateSystemShutdownExW 7773DD22 6 Bytes JMP 7195000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] advapi32.dll!InitiateSystemShutdownA 7773DDF7 6 Bytes JMP 719E000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] advapi32.dll!InitiateSystemShutdownExA 7773DE9E 6 Bytes JMP 7198000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] GDI32.dll!DeleteDC 758D6EAA 6 Bytes JMP 717A000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] GDI32.dll!BitBlt 758D72C0 6 Bytes JMP 7177000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] GDI32.dll!CreateDCA 758DCCA9 6 Bytes JMP 7180000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] GDI32.dll!CreateDCW 758DCF79 6 Bytes JMP 717D000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] USER32.dll!RegisterHotKey 769FAA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] USER32.dll!RegisterHotKey + 4 769FAA1D 2 Bytes [82, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] USER32.dll!SendMessageA 769FAD60 6 Bytes JMP 7152000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] USER32.dll!PostMessageA 769FB446 6 Bytes JMP 714C000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] USER32.dll!PostMessageW 76A0447B 6 Bytes JMP 7149000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] USER32.dll!SendMessageW 76A05539 6 Bytes JMP 714F000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] USER32.dll!mouse_event 76A16209 6 Bytes JMP 715B000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] USER32.dll!SendInput 76A27019 3 Bytes [FF, 25, 1E] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] USER32.dll!SendInput + 4 76A2701D 2 Bytes [54, 71] .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] USER32.dll!ExitWindowsEx 76A406C7 6 Bytes JMP 71A1000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] USER32.dll!keybd_event 76A4EC3B 6 Bytes JMP 7158000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] USER32.dll!DdeClientTransaction 76A5323C 6 Bytes JMP 7186000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] WS2_32.dll!ioctlsocket 76F93084 6 Bytes JMP 711C000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] WS2_32.dll!sendto 76F934B5 6 Bytes JMP 7122000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] WS2_32.dll!closesocket 76F93918 6 Bytes JMP 712C000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] WS2_32.dll!socket 76F93EB8 6 Bytes JMP 71AE000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] WS2_32.dll!WSASend 76F94406 6 Bytes JMP 710A000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] WS2_32.dll!WSALookupServiceBeginW 76F9575A 6 Bytes JMP 715E000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] WS2_32.dll!select 76F96989 6 Bytes JMP 711F000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] WS2_32.dll!recv 76F96B0E 6 Bytes JMP 7111000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] WS2_32.dll!connect 76F96BDD 6 Bytes JMP 7167000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] WS2_32.dll!send 76F96F01 6 Bytes JMP 7125000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] WS2_32.dll!WSARecv 76F97089 6 Bytes JMP 710D000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] WS2_32.dll!WSAGetOverlappedResult 76F97489 6 Bytes JMP 7104000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] WS2_32.dll!listen 76F9B001 6 Bytes JMP 7161000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] WS2_32.dll!WSAConnect 76F9CC3F 6 Bytes JMP 7164000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] WS2_32.dll!WSAAsyncSelect 76FAB014 6 Bytes JMP 7119000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] IPHLPAPI.DLL!IcmpSendEcho2Ex 736B843C 6 Bytes JMP 718F000A .text C:\Program Files\MCShield\MCShieldRTM.exe[3728] IPHLPAPI.DLL!IcmpSendEcho2 736B873B 6 Bytes JMP 7192000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtAcceptConnectPort 775951E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtAcceptConnectPort + 4 775951EC 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtAllocateVirtualMemory 77595318 5 Bytes JMP 74AE8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtCreateFile 77595608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtCreateFile + 4 7759560C 2 Bytes [3A, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtCreateSymbolicLinkObject 77595748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtCreateSymbolicLinkObject + 4 7759574C 2 Bytes [6D, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtDeleteValueKey 77595888 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtDeleteValueKey + 4 7759588C 2 Bytes [40, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtFlushBuffersFile 77595998 5 Bytes JMP 6445EF64 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtFreeVirtualMemory 77595A18 1 Byte [E9] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtFreeVirtualMemory 77595A18 5 Bytes JMP 74AE8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtOpenFile 77595D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtOpenFile + 4 77595D1C 2 Bytes [37, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtOpenProcess 77595DC8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtOpenProcess + 4 77595DCC 2 Bytes [3D, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtProtectVirtualMemory 77595F58 5 Bytes JMP 74AE8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtQueryFullAttributesFile 77596028 5 Bytes JMP 6445EC80 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtReadFile 775962F8 5 Bytes JMP 6445EE60 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtReadFileScatter 77596308 2 Bytes JMP 64DA64C0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtReadFileScatter + 3 7759630B 2 Bytes [81, ED] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtSetContextThread 775965A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtSetContextThread + 4 775965AC 2 Bytes [31, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtSetInformationFile 77596678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtSetInformationFile + 4 7759667C 2 Bytes [34, 71] {XOR AL, 0x71} .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtSetValueKey 77596848 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtSetValueKey + 4 7759684C 2 Bytes [43, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtWriteFile 77596AA8 5 Bytes JMP 6447B690 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!NtWriteFileGather 77596AB8 5 Bytes JMP 64DA646F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] ntdll.dll!LdrLoadDll 775B22AE 5 Bytes JMP 72901F43 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] KERNEL32.dll!CreateProcessW 770F204D 6 Bytes JMP 71A4000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] KERNEL32.dll!CreateProcessA 770F2082 6 Bytes JMP 71A7000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] KERNEL32.dll!K32GetDeviceDriverBaseNameW + 5D 771394E6 7 Bytes JMP 64D0D001 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] KERNEL32.dll!QueryPerformanceCounter + 13 7713C4E5 7 Bytes JMP 64D0D024 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] KERNEL32.dll!LoadLibraryA 7713DD15 6 Bytes JMP 7174000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] KERNEL32.dll!LoadLibraryW 7713EFF2 6 Bytes JMP 7171000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] KERNEL32.dll!LoadAppInitDlls + 355 7713F5A6 7 Bytes JMP 64477374 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] KERNEL32.dll!CreateProcessInternalW 77140852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] KERNEL32.dll!CreateProcessInternalW + 4 77140856 2 Bytes [2E, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] user32.dll!RegisterHotKey 769FAA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] user32.dll!RegisterHotKey + 4 769FAA1D 2 Bytes [82, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] user32.dll!SendMessageA 769FAD60 6 Bytes JMP 7152000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] user32.dll!PostMessageA 769FB446 6 Bytes JMP 714C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] user32.dll!PostMessageW 76A0447B 6 Bytes JMP 7149000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] user32.dll!GetWindowInfo 76A04B5E 5 Bytes JMP 64C13388 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] user32.dll!SendMessageW 76A05539 6 Bytes JMP 714F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] user32.dll!mouse_event 76A16209 6 Bytes JMP 715B000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] user32.dll!SendInput 76A27019 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] user32.dll!SendInput + 4 76A2701D 2 Bytes [54, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] user32.dll!ExitWindowsEx 76A406C7 6 Bytes JMP 71A1000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] user32.dll!keybd_event 76A4EC3B 6 Bytes JMP 7158000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] user32.dll!DdeClientTransaction 76A5323C 6 Bytes JMP 7186000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] GDI32.dll!DeleteDC 758D6EAA 6 Bytes JMP 717A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] GDI32.dll!BitBlt 758D72C0 6 Bytes JMP 7177000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] GDI32.dll!GetViewportOrgEx + 26C 758D884B 7 Bytes JMP 64D0CF82 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] GDI32.dll!CreateDCA 758DCCA9 6 Bytes JMP 7180000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] GDI32.dll!CreateDCW 758DCF79 6 Bytes JMP 717D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] advapi32.dll!CreateServiceW 777070C4 6 Bytes JMP 7189000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] advapi32.dll!CreateServiceA 77723264 6 Bytes JMP 718C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] advapi32.dll!InitiateSystemShutdownW 7773DC55 6 Bytes JMP 719B000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] advapi32.dll!InitiateSystemShutdownExW 7773DD22 6 Bytes JMP 7195000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] advapi32.dll!InitiateSystemShutdownA 7773DDF7 6 Bytes JMP 719E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] advapi32.dll!InitiateSystemShutdownExA 7773DE9E 6 Bytes JMP 7198000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] WS2_32.dll!ioctlsocket 76F93084 6 Bytes JMP 7119000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] WS2_32.dll!sendto 76F934B5 6 Bytes JMP 711F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] WS2_32.dll!closesocket 76F93918 6 Bytes JMP 7129000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] WS2_32.dll!socket 76F93EB8 6 Bytes JMP 71AE000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] WS2_32.dll!WSASend 76F94406 6 Bytes JMP 7103000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] WS2_32.dll!WSALookupServiceBeginW 76F9575A 6 Bytes JMP 715E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] WS2_32.dll!select 76F96989 6 Bytes JMP 711C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] WS2_32.dll!recv 76F96B0E 6 Bytes JMP 710A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] WS2_32.dll!connect 76F96BDD 6 Bytes JMP 7167000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] WS2_32.dll!send 76F96F01 6 Bytes JMP 7122000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] WS2_32.dll!WSARecv 76F97089 6 Bytes JMP 7106000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] WS2_32.dll!WSAGetOverlappedResult 76F97489 6 Bytes JMP 70FD000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] WS2_32.dll!listen 76F9B001 6 Bytes JMP 7161000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] WS2_32.dll!WSAConnect 76F9CC3F 6 Bytes JMP 7164000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] WS2_32.dll!WSAAsyncSelect 76FAB014 6 Bytes JMP 710F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] IPHLPAPI.DLL!IcmpSendEcho2Ex 736B843C 6 Bytes JMP 718F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3920] IPHLPAPI.DLL!IcmpSendEcho2 736B873B 6 Bytes JMP 7192000A ---- Devices - GMER 2.1 ---- Device \Driver\tdx \Device\Tcp OAmon.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fltsrv.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fltsrv.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fltsrv.sys Device \Driver\tdx \Device\RawIp6 OAmon.sys Device \Driver\tdx \Device\Tcp6 OAmon.sys Device \Driver\tdx \Device\Tdx OAmon.sys Device \Driver\partmgr \Device\PartmgrControl fltsrv.sys Device \Driver\tdx \Device\Udp OAmon.sys Device \Driver\tdx \Device\RawIp OAmon.sys Device \Driver\tdx \Device\Udp6 OAmon.sys Device \Driver\rdyboost \Device\RdyBoost fltsrv.sys ---- EOF - GMER 2.1 ----