GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-26 22:50:50 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AC1 465,76GB Running: vdzvclb8.exe; Driver: c:\Temp\pxldypow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x920169FE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x92016BF2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0x92015CAE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0x9201662C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSection [0x920163BE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x920177B2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread [0x92015658] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThreadEx [0x92016E3C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0x920171B8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x92015F92] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0x92016824] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0x92016246] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0x920174B8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x92015EFC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0x92016132] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateProcess [0x92015A8E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread [0x9201585C] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 84445A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8447F212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 8448646C 4 Bytes [FE, 69, 01, 92] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 84486494 4 Bytes [F2, 6B, 01, 92] {IMUL EAX, [ECX], -0x6e} .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 84486528 4 Bytes [AE, 5C, 01, 92] .text ntkrnlpa.exe!KeRemoveQueueEx + 11AF 84486544 4 Bytes [2C, 66, 01, 92] .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 8448658C 4 Bytes [BE, 63, 01, 92] .text ... ---- User code sections - GMER 2.1 ---- .text C:\windows\Explorer.EXE[484] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\Explorer.EXE[484] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [77, 71] {JA 0x73} .text C:\windows\Explorer.EXE[484] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\Explorer.EXE[484] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\Explorer.EXE[484] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\Explorer.EXE[484] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\Explorer.EXE[484] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\Explorer.EXE[484] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\Explorer.EXE[484] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\Explorer.EXE[484] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\Explorer.EXE[484] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\Explorer.EXE[484] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\Explorer.EXE[484] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\Explorer.EXE[484] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\Explorer.EXE[484] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 717E000A .text C:\windows\Explorer.EXE[484] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717B000A .text C:\windows\Explorer.EXE[484] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7181000A .text C:\windows\system32\csrss.exe[524] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 5 Bytes JMP 74DE2270 C:\Windows\system32\cmdcsr.dll .text C:\windows\system32\csrss.exe[524] ntdll.dll!NtReplyWaitReceivePort 76E46458 5 Bytes JMP 74DE1970 C:\Windows\system32\cmdcsr.dll .text C:\windows\system32\csrss.exe[524] ntdll.dll!NtReplyWaitReceivePortEx 76E46468 5 Bytes JMP 74DE1DF0 C:\Windows\system32\cmdcsr.dll .text C:\windows\system32\taskhost.exe[536] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\taskhost.exe[536] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\system32\taskhost.exe[536] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\taskhost.exe[536] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\taskhost.exe[536] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\taskhost.exe[536] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\taskhost.exe[536] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\taskhost.exe[536] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\taskhost.exe[536] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\system32\taskhost.exe[536] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\system32\taskhost.exe[536] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\system32\taskhost.exe[536] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\system32\taskhost.exe[536] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\system32\taskhost.exe[536] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\system32\taskhost.exe[536] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\system32\taskhost.exe[536] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\taskhost.exe[536] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\csrss.exe[612] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 5 Bytes JMP 74DE2270 C:\Windows\system32\cmdcsr.dll .text C:\windows\system32\csrss.exe[612] ntdll.dll!NtReplyWaitReceivePort 76E46458 5 Bytes JMP 74DE1970 C:\Windows\system32\cmdcsr.dll .text C:\windows\system32\csrss.exe[612] ntdll.dll!NtReplyWaitReceivePortEx 76E46468 5 Bytes JMP 74DE1DF0 C:\Windows\system32\cmdcsr.dll .text C:\windows\system32\services.exe[656] services.exe 002B1608 4 Bytes [40, 5A, 01, 10] {INC EAX; POP EDX; ADD [EAX], EDX} .text C:\windows\system32\services.exe[656] services.exe 002B1618 4 Bytes [20, 5E, 01, 10] .text C:\windows\system32\services.exe[656] services.exe 002B1638 4 Bytes [A0, 57, 01, 10] .text C:\windows\system32\services.exe[656] services.exe 002B1648 4 Bytes [40, 5C, 01, 10] {INC EAX; POP ESP; ADD [EAX], EDX} .text C:\windows\system32\services.exe[656] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\services.exe[656] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [74, 71] {JZ 0x73} .text C:\windows\system32\services.exe[656] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\services.exe[656] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\services.exe[656] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\services.exe[656] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\services.exe[656] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\services.exe[656] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\services.exe[656] RPCRT4.dll!RpcServerRegisterIfEx 762E0898 6 Bytes JMP 7190000A .text C:\windows\system32\services.exe[656] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 717B000A .text C:\windows\system32\services.exe[656] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 7178000A .text C:\windows\system32\services.exe[656] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 717E000A .text C:\windows\system32\services.exe[656] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7184000A .text C:\windows\system32\services.exe[656] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 7187000A .text C:\windows\system32\services.exe[656] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 718D000A .text C:\windows\system32\services.exe[656] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718A000A .text C:\windows\system32\services.exe[656] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\services.exe[656] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\lsass.exe[724] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\lsass.exe[724] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\system32\lsass.exe[724] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\lsass.exe[724] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\lsass.exe[724] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\lsass.exe[724] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\lsass.exe[724] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\lsass.exe[724] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\lsass.exe[724] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\system32\lsass.exe[724] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\system32\lsass.exe[724] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\system32\lsass.exe[724] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\system32\lsass.exe[724] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\system32\lsass.exe[724] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\system32\lsass.exe[724] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\system32\lsass.exe[724] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\lsass.exe[724] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\lsm.exe[732] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\lsm.exe[732] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\system32\lsm.exe[732] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\lsm.exe[732] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\lsm.exe[732] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\lsm.exe[732] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\lsm.exe[732] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\lsm.exe[732] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\lsm.exe[732] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\system32\lsm.exe[732] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\system32\lsm.exe[732] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\system32\lsm.exe[732] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\system32\lsm.exe[732] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\system32\lsm.exe[732] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\system32\lsm.exe[732] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\system32\lsm.exe[732] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\lsm.exe[732] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\svchost.exe[836] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[836] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [77, 71] {JA 0x73} .text C:\windows\system32\svchost.exe[836] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[836] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[836] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[836] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\svchost.exe[836] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[836] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[836] RPCRT4.dll!RpcServerRegisterIfEx 762E0898 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[836] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 717E000A .text C:\windows\system32\svchost.exe[836] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717B000A .text C:\windows\system32\svchost.exe[836] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7181000A .text C:\windows\system32\svchost.exe[836] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7184000A .text C:\windows\system32\svchost.exe[836] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 7187000A .text C:\windows\system32\svchost.exe[836] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[836] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[836] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[836] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\nvvsvc.exe[896] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\nvvsvc.exe[896] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\system32\nvvsvc.exe[896] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\nvvsvc.exe[896] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\nvvsvc.exe[896] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\nvvsvc.exe[896] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\nvvsvc.exe[896] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\nvvsvc.exe[896] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\nvvsvc.exe[896] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\system32\nvvsvc.exe[896] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\system32\nvvsvc.exe[896] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\system32\nvvsvc.exe[896] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\system32\nvvsvc.exe[896] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\system32\nvvsvc.exe[896] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\system32\nvvsvc.exe[896] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\system32\nvvsvc.exe[896] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\nvvsvc.exe[896] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\svchost.exe[932] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[932] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [77, 71] {JA 0x73} .text C:\windows\system32\svchost.exe[932] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[932] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[932] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[932] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\svchost.exe[932] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[932] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[932] RPCRT4.dll!RpcServerRegisterIfEx 762E0898 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[932] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 717E000A .text C:\windows\system32\svchost.exe[932] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717B000A .text C:\windows\system32\svchost.exe[932] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7181000A .text C:\windows\system32\svchost.exe[932] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7184000A .text C:\windows\system32\svchost.exe[932] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 7187000A .text C:\windows\system32\svchost.exe[932] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[932] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[932] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[932] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\svchost.exe[932] rpcss.dll!CoGetComCatalog 743235EC 8 Bytes [80, 4F, 01, 10, 40, 4D, 01, ...] {OR BYTE [EDI+0x1], 0x10; INC EAX; DEC EBP; ADD [EAX], EDX} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] ntdll.dll!NtAllocateVirtualMemory 76E45318 5 Bytes JMP 00133760 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1028] ntdll.dll!NtCreateFile 76E45608 5 Bytes JMP 0017D090 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1036] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1036] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1036] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1036] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1036] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1036] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1036] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1036] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1036] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1036] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1036] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1036] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1036] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1036] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1036] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1036] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1036] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\system32\svchost.exe[1076] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[1076] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\system32\svchost.exe[1076] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[1076] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[1076] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[1076] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\svchost.exe[1076] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[1076] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[1076] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\system32\svchost.exe[1076] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\system32\svchost.exe[1076] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\system32\svchost.exe[1076] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\system32\svchost.exe[1076] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[1076] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[1076] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[1076] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[1076] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\System32\svchost.exe[1120] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\System32\svchost.exe[1120] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\System32\svchost.exe[1120] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\System32\svchost.exe[1120] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\System32\svchost.exe[1120] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\System32\svchost.exe[1120] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\System32\svchost.exe[1120] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\System32\svchost.exe[1120] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\System32\svchost.exe[1120] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\System32\svchost.exe[1120] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\System32\svchost.exe[1120] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\System32\svchost.exe[1120] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\System32\svchost.exe[1120] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\System32\svchost.exe[1120] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\System32\svchost.exe[1120] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\System32\svchost.exe[1120] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\System32\svchost.exe[1120] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\System32\svchost.exe[1152] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\System32\svchost.exe[1152] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\System32\svchost.exe[1152] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\System32\svchost.exe[1152] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\System32\svchost.exe[1152] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\System32\svchost.exe[1152] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\System32\svchost.exe[1152] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\System32\svchost.exe[1152] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\System32\svchost.exe[1152] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\System32\svchost.exe[1152] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\System32\svchost.exe[1152] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\System32\svchost.exe[1152] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\System32\svchost.exe[1152] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\System32\svchost.exe[1152] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\System32\svchost.exe[1152] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\System32\svchost.exe[1152] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\System32\svchost.exe[1152] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\taskeng.exe[1188] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\taskeng.exe[1188] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\system32\taskeng.exe[1188] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\taskeng.exe[1188] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\taskeng.exe[1188] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\taskeng.exe[1188] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\taskeng.exe[1188] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\taskeng.exe[1188] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\taskeng.exe[1188] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\system32\taskeng.exe[1188] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\system32\taskeng.exe[1188] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\system32\taskeng.exe[1188] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\system32\taskeng.exe[1188] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\system32\taskeng.exe[1188] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\system32\taskeng.exe[1188] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\system32\taskeng.exe[1188] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\taskeng.exe[1188] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\svchost.exe[1192] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[1192] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\system32\svchost.exe[1192] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[1192] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[1192] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[1192] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\svchost.exe[1192] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[1192] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[1192] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\system32\svchost.exe[1192] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\system32\svchost.exe[1192] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\system32\svchost.exe[1192] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\system32\svchost.exe[1192] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[1192] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[1192] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[1192] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[1192] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\svchost.exe[1224] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[1224] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [77, 71] {JA 0x73} .text C:\windows\system32\svchost.exe[1224] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[1224] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[1224] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[1224] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\svchost.exe[1224] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[1224] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[1224] RPCRT4.dll!RpcServerRegisterIfEx 762E0898 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[1224] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 717E000A .text C:\windows\system32\svchost.exe[1224] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717B000A .text C:\windows\system32\svchost.exe[1224] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7181000A .text C:\windows\system32\svchost.exe[1224] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7184000A .text C:\windows\system32\svchost.exe[1224] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 7187000A .text C:\windows\system32\svchost.exe[1224] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[1224] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[1224] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[1224] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\svchost.exe[1512] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[1512] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [77, 71] {JA 0x73} .text C:\windows\system32\svchost.exe[1512] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[1512] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[1512] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[1512] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\svchost.exe[1512] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[1512] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[1512] RPCRT4.dll!RpcServerRegisterIfEx 762E0898 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[1512] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 717E000A .text C:\windows\system32\svchost.exe[1512] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717B000A .text C:\windows\system32\svchost.exe[1512] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7181000A .text C:\windows\system32\svchost.exe[1512] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7184000A .text C:\windows\system32\svchost.exe[1512] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 7187000A .text C:\windows\system32\svchost.exe[1512] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[1512] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[1512] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[1512] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\nvvsvc.exe[1544] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\nvvsvc.exe[1544] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\system32\nvvsvc.exe[1544] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\nvvsvc.exe[1544] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\nvvsvc.exe[1544] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\nvvsvc.exe[1544] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\nvvsvc.exe[1544] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\nvvsvc.exe[1544] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\nvvsvc.exe[1544] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\system32\nvvsvc.exe[1544] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\system32\nvvsvc.exe[1544] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\system32\nvvsvc.exe[1544] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\system32\nvvsvc.exe[1544] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\system32\nvvsvc.exe[1544] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\system32\nvvsvc.exe[1544] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\system32\nvvsvc.exe[1544] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\nvvsvc.exe[1544] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Users\dom\Desktop\przegladarki\Palemoon_download\vdzvclb8.exe[1624] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Users\dom\Desktop\przegladarki\Palemoon_download\vdzvclb8.exe[1624] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Users\dom\Desktop\przegladarki\Palemoon_download\vdzvclb8.exe[1624] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Users\dom\Desktop\przegladarki\Palemoon_download\vdzvclb8.exe[1624] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Users\dom\Desktop\przegladarki\Palemoon_download\vdzvclb8.exe[1624] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Users\dom\Desktop\przegladarki\Palemoon_download\vdzvclb8.exe[1624] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Users\dom\Desktop\przegladarki\Palemoon_download\vdzvclb8.exe[1624] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Users\dom\Desktop\przegladarki\Palemoon_download\vdzvclb8.exe[1624] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Users\dom\Desktop\przegladarki\Palemoon_download\vdzvclb8.exe[1624] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\Users\dom\Desktop\przegladarki\Palemoon_download\vdzvclb8.exe[1624] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\Users\dom\Desktop\przegladarki\Palemoon_download\vdzvclb8.exe[1624] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\Users\dom\Desktop\przegladarki\Palemoon_download\vdzvclb8.exe[1624] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\Users\dom\Desktop\przegladarki\Palemoon_download\vdzvclb8.exe[1624] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Users\dom\Desktop\przegladarki\Palemoon_download\vdzvclb8.exe[1624] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Users\dom\Desktop\przegladarki\Palemoon_download\vdzvclb8.exe[1624] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Users\dom\Desktop\przegladarki\Palemoon_download\vdzvclb8.exe[1624] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Users\dom\Desktop\przegladarki\Palemoon_download\vdzvclb8.exe[1624] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\Dwm.exe[1640] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\Dwm.exe[1640] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\system32\Dwm.exe[1640] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\Dwm.exe[1640] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\Dwm.exe[1640] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\Dwm.exe[1640] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\Dwm.exe[1640] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\Dwm.exe[1640] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\Dwm.exe[1640] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\system32\Dwm.exe[1640] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\system32\Dwm.exe[1640] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\system32\Dwm.exe[1640] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\system32\Dwm.exe[1640] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\system32\Dwm.exe[1640] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\system32\Dwm.exe[1640] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\system32\Dwm.exe[1640] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\Dwm.exe[1640] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\System32\spoolsv.exe[1780] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\System32\spoolsv.exe[1780] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\System32\spoolsv.exe[1780] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\System32\spoolsv.exe[1780] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\System32\spoolsv.exe[1780] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\System32\spoolsv.exe[1780] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\System32\spoolsv.exe[1780] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\System32\spoolsv.exe[1780] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\System32\spoolsv.exe[1780] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\System32\spoolsv.exe[1780] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\System32\spoolsv.exe[1780] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\System32\spoolsv.exe[1780] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\System32\spoolsv.exe[1780] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\System32\spoolsv.exe[1780] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\System32\spoolsv.exe[1780] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\System32\spoolsv.exe[1780] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\System32\spoolsv.exe[1780] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[1924] ntdll.dll!NtAllocateVirtualMemory 76E45318 5 Bytes JMP 012811F0 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[1924] ntdll.dll!NtCreateFile 76E45608 5 Bytes JMP 01281000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1972] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1972] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1972] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1972] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1972] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1972] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1972] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1972] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1972] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1972] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1972] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1972] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1972] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1972] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1972] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1972] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1972] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\SYSTEM32\Rezip.exe[2024] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\SYSTEM32\Rezip.exe[2024] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [79, 71] {JNS 0x73} .text C:\windows\SYSTEM32\Rezip.exe[2024] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\SYSTEM32\Rezip.exe[2024] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\SYSTEM32\Rezip.exe[2024] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\SYSTEM32\Rezip.exe[2024] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\SYSTEM32\Rezip.exe[2024] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\SYSTEM32\Rezip.exe[2024] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7192000A .text C:\windows\SYSTEM32\Rezip.exe[2024] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7180000A .text C:\windows\SYSTEM32\Rezip.exe[2024] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717D000A .text C:\windows\SYSTEM32\Rezip.exe[2024] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7183000A .text C:\windows\SYSTEM32\Rezip.exe[2024] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7186000A .text C:\windows\SYSTEM32\Rezip.exe[2024] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 7189000A .text C:\windows\SYSTEM32\Rezip.exe[2024] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 718F000A .text C:\windows\SYSTEM32\Rezip.exe[2024] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718C000A .text C:\windows\SYSTEM32\Rezip.exe[2024] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\SYSTEM32\Rezip.exe[2024] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7195000A .text C:\windows\system32\svchost.exe[2064] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[2064] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\system32\svchost.exe[2064] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[2064] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[2064] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[2064] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\svchost.exe[2064] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[2064] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[2064] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\system32\svchost.exe[2064] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\system32\svchost.exe[2064] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\system32\svchost.exe[2064] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\system32\svchost.exe[2064] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[2064] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[2064] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[2064] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[2064] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\svchost.exe[2120] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[2120] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\system32\svchost.exe[2120] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[2120] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[2120] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[2120] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\svchost.exe[2120] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[2120] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[2120] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\system32\svchost.exe[2120] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\system32\svchost.exe[2120] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\system32\svchost.exe[2120] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\system32\svchost.exe[2120] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[2120] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[2120] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[2120] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[2120] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[2204] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[2204] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[2204] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[2204] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[2204] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[2204] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[2204] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[2204] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[2204] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 717B000A .text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[2204] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 7178000A .text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[2204] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 717E000A .text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[2204] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7181000A .text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[2204] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[2204] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[2204] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[2204] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe[2204] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[2248] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[2248] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[2248] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[2248] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[2248] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[2248] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[2248] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[2248] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[2248] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[2248] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[2248] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[2248] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[2248] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[2248] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[2248] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[2248] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[2248] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2276] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2276] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2276] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2276] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2276] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2276] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2276] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2276] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2276] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2276] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2276] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2276] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2276] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2276] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2276] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2276] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2276] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2308] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2308] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2308] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2308] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2308] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2308] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2308] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2308] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2308] ADVAPI32.DLL!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2308] ADVAPI32.DLL!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2308] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7181000A .text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2308] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2308] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2308] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2308] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 717B000A .text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2308] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 7178000A .text C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2308] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2556] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2556] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2556] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2556] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2556] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2556] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2556] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2556] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2556] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2556] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2556] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2556] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2556] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2556] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2556] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 717B000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2556] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2556] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2632] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2632] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2632] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2632] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2632] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2632] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2632] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2632] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2632] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2632] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2632] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2632] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2632] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2632] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2632] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2632] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[2632] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\svchost.exe[2732] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[2732] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\system32\svchost.exe[2732] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[2732] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[2732] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[2732] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\svchost.exe[2732] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[2732] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[2732] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\system32\svchost.exe[2732] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\system32\svchost.exe[2732] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\system32\svchost.exe[2732] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\system32\svchost.exe[2732] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[2732] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[2732] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[2732] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[2732] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\svchost.exe[2920] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[2920] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\system32\svchost.exe[2920] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[2920] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[2920] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[2920] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\svchost.exe[2920] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[2920] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[2920] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\system32\svchost.exe[2920] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\system32\svchost.exe[2920] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\system32\svchost.exe[2920] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\system32\svchost.exe[2920] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[2920] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[2920] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[2920] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[2920] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\System32\rundll32.exe[3160] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\System32\rundll32.exe[3160] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [77, 71] {JA 0x73} .text C:\windows\System32\rundll32.exe[3160] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\System32\rundll32.exe[3160] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\System32\rundll32.exe[3160] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\System32\rundll32.exe[3160] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\System32\rundll32.exe[3160] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\System32\rundll32.exe[3160] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\System32\rundll32.exe[3160] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 717E000A .text C:\windows\System32\rundll32.exe[3160] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717B000A .text C:\windows\System32\rundll32.exe[3160] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7181000A .text C:\windows\System32\rundll32.exe[3160] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\System32\rundll32.exe[3160] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\System32\rundll32.exe[3160] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\System32\rundll32.exe[3160] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\System32\rundll32.exe[3160] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\System32\rundll32.exe[3160] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3276] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3276] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3276] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3276] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3276] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3276] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3276] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3276] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3276] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3276] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3276] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7181000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3276] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3276] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3276] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3276] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 717B000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3276] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 7178000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3276] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 717E000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3284] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3352] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3352] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3352] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3352] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3352] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3352] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3352] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3352] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3352] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3352] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3352] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3352] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3352] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3352] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3352] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3352] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[3352] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Users\dom\AppData\Local\FluxSoftware\Flux\flux.exe[3400] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Users\dom\AppData\Local\FluxSoftware\Flux\flux.exe[3400] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Users\dom\AppData\Local\FluxSoftware\Flux\flux.exe[3400] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Users\dom\AppData\Local\FluxSoftware\Flux\flux.exe[3400] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Users\dom\AppData\Local\FluxSoftware\Flux\flux.exe[3400] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Users\dom\AppData\Local\FluxSoftware\Flux\flux.exe[3400] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Users\dom\AppData\Local\FluxSoftware\Flux\flux.exe[3400] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Users\dom\AppData\Local\FluxSoftware\Flux\flux.exe[3400] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Users\dom\AppData\Local\FluxSoftware\Flux\flux.exe[3400] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\Users\dom\AppData\Local\FluxSoftware\Flux\flux.exe[3400] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\Users\dom\AppData\Local\FluxSoftware\Flux\flux.exe[3400] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\Users\dom\AppData\Local\FluxSoftware\Flux\flux.exe[3400] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\Users\dom\AppData\Local\FluxSoftware\Flux\flux.exe[3400] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Users\dom\AppData\Local\FluxSoftware\Flux\flux.exe[3400] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Users\dom\AppData\Local\FluxSoftware\Flux\flux.exe[3400] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Users\dom\AppData\Local\FluxSoftware\Flux\flux.exe[3400] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Users\dom\AppData\Local\FluxSoftware\Flux\flux.exe[3400] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3436] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3436] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3436] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3436] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3436] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3436] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3436] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3436] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3436] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3436] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3436] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3436] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3436] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3436] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3436] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3436] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3436] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\SearchIndexer.exe[3696] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\SearchIndexer.exe[3696] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\system32\SearchIndexer.exe[3696] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\SearchIndexer.exe[3696] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\system32\SearchIndexer.exe[3696] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\SearchIndexer.exe[3696] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\system32\SearchIndexer.exe[3696] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\system32\SearchIndexer.exe[3696] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\system32\SearchIndexer.exe[3696] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\system32\SearchIndexer.exe[3696] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\system32\SearchIndexer.exe[3696] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\system32\SearchIndexer.exe[3696] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\system32\SearchIndexer.exe[3696] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\system32\SearchIndexer.exe[3696] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\system32\SearchIndexer.exe[3696] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\system32\SearchIndexer.exe[3696] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\system32\SearchIndexer.exe[3696] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3704] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3704] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3704] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3704] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3704] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3704] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3704] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3704] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3704] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3704] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3704] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3704] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3704] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3704] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3704] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3704] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3704] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3868] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3868] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3868] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3868] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3868] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3868] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3868] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3868] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3868] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3868] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3868] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3868] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3868] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3868] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3868] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3868] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3868] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\windows\System32\svchost.exe[3960] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\windows\System32\svchost.exe[3960] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\windows\System32\svchost.exe[3960] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\windows\System32\svchost.exe[3960] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\windows\System32\svchost.exe[3960] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\windows\System32\svchost.exe[3960] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\windows\System32\svchost.exe[3960] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\windows\System32\svchost.exe[3960] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\windows\System32\svchost.exe[3960] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\windows\System32\svchost.exe[3960] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\windows\System32\svchost.exe[3960] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\windows\System32\svchost.exe[3960] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\windows\System32\svchost.exe[3960] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\windows\System32\svchost.exe[3960] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\windows\System32\svchost.exe[3960] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\windows\System32\svchost.exe[3960] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\windows\System32\svchost.exe[3960] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4040] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4040] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4040] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4040] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4040] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4040] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4040] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4040] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4040] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4040] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4040] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4040] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4040] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4040] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4040] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4040] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4040] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\TC PowerPack 2\totalcmd.exe[4592] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\TC PowerPack 2\totalcmd.exe[4592] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\TC PowerPack 2\totalcmd.exe[4592] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\TC PowerPack 2\totalcmd.exe[4592] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\TC PowerPack 2\totalcmd.exe[4592] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\TC PowerPack 2\totalcmd.exe[4592] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\TC PowerPack 2\totalcmd.exe[4592] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\TC PowerPack 2\totalcmd.exe[4592] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\TC PowerPack 2\totalcmd.exe[4592] user32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\Program Files\TC PowerPack 2\totalcmd.exe[4592] user32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\Program Files\TC PowerPack 2\totalcmd.exe[4592] user32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\Program Files\TC PowerPack 2\totalcmd.exe[4592] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\Program Files\TC PowerPack 2\totalcmd.exe[4592] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\TC PowerPack 2\totalcmd.exe[4592] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\TC PowerPack 2\totalcmd.exe[4592] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\TC PowerPack 2\totalcmd.exe[4592] advapi32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\TC PowerPack 2\totalcmd.exe[4592] advapi32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\Pale Moon\palemoon.exe[4796] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Pale Moon\palemoon.exe[4796] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Pale Moon\palemoon.exe[4796] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Pale Moon\palemoon.exe[4796] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\Pale Moon\palemoon.exe[4796] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Pale Moon\palemoon.exe[4796] ntdll.dll!LdrGetProcedureAddress + 26 76E622A9 7 Bytes JMP 62D86E40 C:\Program Files\Pale Moon\xul.dll .text C:\Program Files\Pale Moon\palemoon.exe[4796] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\Pale Moon\palemoon.exe[4796] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\Pale Moon\palemoon.exe[4796] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\Pale Moon\palemoon.exe[4796] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 752894E6 7 Bytes JMP 63BA1EC0 C:\Program Files\Pale Moon\xul.dll .text C:\Program Files\Pale Moon\palemoon.exe[4796] kernel32.dll!QueryPerformanceCounter + 13 7528C4E5 7 Bytes JMP 63BA1E70 C:\Program Files\Pale Moon\xul.dll .text C:\Program Files\Pale Moon\palemoon.exe[4796] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\Program Files\Pale Moon\palemoon.exe[4796] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\Program Files\Pale Moon\palemoon.exe[4796] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\Program Files\Pale Moon\palemoon.exe[4796] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\Program Files\Pale Moon\palemoon.exe[4796] GDI32.dll!GetViewportOrgEx + 26C 7626884B 7 Bytes JMP 63BA1EF0 C:\Program Files\Pale Moon\xul.dll .text C:\Program Files\Pale Moon\palemoon.exe[4796] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Pale Moon\palemoon.exe[4796] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Pale Moon\palemoon.exe[4796] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\Pale Moon\palemoon.exe[4796] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\Pale Moon\palemoon.exe[4796] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A .text C:\Program Files\TC PowerPack 2\Tools\Notepad2\Notepad2.exe[5556] ntdll.dll!NtAlpcSendWaitReceivePort 76E45458 3 Bytes [FF, 25, 1E] .text C:\Program Files\TC PowerPack 2\Tools\Notepad2\Notepad2.exe[5556] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E4545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\TC PowerPack 2\Tools\Notepad2\Notepad2.exe[5556] ntdll.dll!NtClose 76E45508 3 Bytes [FF, 25, 1E] .text C:\Program Files\TC PowerPack 2\Tools\Notepad2\Notepad2.exe[5556] ntdll.dll!NtClose + 4 76E4550C 2 Bytes [AE, 71] .text C:\Program Files\TC PowerPack 2\Tools\Notepad2\Notepad2.exe[5556] ntdll.dll!LdrUnloadDll 76E5C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\TC PowerPack 2\Tools\Notepad2\Notepad2.exe[5556] kernel32.dll!CreateProcessW 7524204D 6 Bytes JMP 719F000A .text C:\Program Files\TC PowerPack 2\Tools\Notepad2\Notepad2.exe[5556] kernel32.dll!CreateProcessA 75242082 6 Bytes JMP 719C000A .text C:\Program Files\TC PowerPack 2\Tools\Notepad2\Notepad2.exe[5556] kernel32.dll!CreateProcessAsUserW 75275ABF 6 Bytes JMP 7193000A .text C:\Program Files\TC PowerPack 2\Tools\Notepad2\Notepad2.exe[5556] USER32.dll!SetWindowsHookExW 76A0E30C 6 Bytes JMP 7181000A .text C:\Program Files\TC PowerPack 2\Tools\Notepad2\Notepad2.exe[5556] USER32.dll!SetWinEventHook 76A124DC 6 Bytes JMP 717E000A .text C:\Program Files\TC PowerPack 2\Tools\Notepad2\Notepad2.exe[5556] USER32.dll!SetWindowsHookExA 76A36D0C 6 Bytes JMP 7184000A .text C:\Program Files\TC PowerPack 2\Tools\Notepad2\Notepad2.exe[5556] GDI32.dll!DeleteDC 76266EAA 6 Bytes JMP 7187000A .text C:\Program Files\TC PowerPack 2\Tools\Notepad2\Notepad2.exe[5556] GDI32.dll!GetPixel 7626C3D5 6 Bytes JMP 718A000A .text C:\Program Files\TC PowerPack 2\Tools\Notepad2\Notepad2.exe[5556] GDI32.dll!CreateDCA 7626CCA9 6 Bytes JMP 7190000A .text C:\Program Files\TC PowerPack 2\Tools\Notepad2\Notepad2.exe[5556] GDI32.dll!CreateDCW 7626CF79 6 Bytes JMP 718D000A .text C:\Program Files\TC PowerPack 2\Tools\Notepad2\Notepad2.exe[5556] ADVAPI32.dll!CreateProcessAsUserA 76712642 6 Bytes JMP 7199000A .text C:\Program Files\TC PowerPack 2\Tools\Notepad2\Notepad2.exe[5556] ADVAPI32.dll!CreateProcessWithLogonW 76715429 6 Bytes JMP 7196000A ---- User IAT/EAT - GMER 2.1 ---- IAT C:\windows\Explorer.EXE[484] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7392249F] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[484] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73905652] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[484] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73905710] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[484] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipFree] [7392251A] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[484] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7391857E] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[484] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73914D32] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[484] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [739150D9] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[484] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [739151AE] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[484] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [739166DB] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[484] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [739182D5] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[484] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73918824] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[484] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73919085] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[484] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7391E228] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\windows\Explorer.EXE[484] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73914C64] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \Driver\BTHUSB \Device\0000008e bthport.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654edff Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654f493 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654f652 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b6558b40 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b6558b40@943af009bb85 0x30 0x7A 0x2A 0x2B ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b6558b40@30d6c9527ead 0x45 0x13 0xC0 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b6558b40@a8922cb3967e 0x81 0x52 0xD9 0xDD ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654edff (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654f493 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654f652 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b6558b40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b6558b40@943af009bb85 0x30 0x7A 0x2A 0x2B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b6558b40@30d6c9527ead 0x45 0x13 0xC0 0x80 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b6558b40@a8922cb3967e 0x81 0x52 0xD9 0xDD ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\0FCB5021-4E96-4392-8340-987E844A731A@IPAddress ::1 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----