GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-21 17:54:24 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD3200AAJS-00VWA0 rev.12.01B02 298,09GB Running: k025650u.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\pxtdapoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xECC21E92] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwClose [0xECC23530] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0xECC210D8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateEvent [0xECC201AE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateEventPair [0xECC20206] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xECC21AC0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateKey [0xECC22AC6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateMutant [0xECC20158] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreatePort [0xECC20100] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSection [0xECC217DC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSemaphore [0xECC20258] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xECC24534] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread [0xECC20A82] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteKey [0xECC2224C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteValueKey [0xECC224C2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDuplicateObject [0xECC2086C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateKey [0xECC23646] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateValueKey [0xECC2385A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0xECC23F3A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xECC213B0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeKey [0xECC24806] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeMultipleKeys [0xECC23404] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xECC21CB8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenKey [0xECC229A8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenProcess [0xECC202B0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0xECC21664] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenThread [0xECC205BC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryKey [0xECC239CC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xECC23C80] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryValueKey [0xECC23AFE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRenameKey [0xECC230F2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetInformationProcess [0xECC22086] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSecurityObject [0xECC227CC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0xECC2423A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetValueKey [0xECC22DE2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0xECC21326] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0xECC21550] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateProcess [0xECC20EB8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread [0xECC20C86] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!_abnormal_termination + D8 804E2744 12 Bytes [AE, 01, C2, EC, 06, 02, C2, ...] {SCASB ; ADD EDX, EAX; IN AL, DX; PUSH ES; ADD AL, DL; IN AL, DX; RCR BYTE [EDX], 0xc2; IN AL, DX} .text ntoskrnl.exe!_abnormal_termination + 114 804E2780 16 Bytes [DC, 17, C2, EC, 58, 02, C2, ...] {FCOM QWORD [EDI]; RET 0x58ec; ADD AL, DL; IN AL, DX; XOR AL, 0x45; RET 0x82ec; OR AL, DL; IN AL, DX} .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF7153000, 0x1C5D58, 0xE8000020] ? system32\drivers\{237a87b5-881c-4fd8-b80a-c3b471ff75d7}t.sys System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\RunDll32.exe[260] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDll32.exe[260] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\RunDll32.exe[260] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDll32.exe[260] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\RunDll32.exe[260] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDll32.exe[260] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\RunDll32.exe[260] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDll32.exe[260] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\RunDll32.exe[260] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\RunDll32.exe[260] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDll32.exe[260] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\WINDOWS\system32\RunDll32.exe[260] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\RunDll32.exe[260] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\RunDll32.exe[260] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\RunDll32.exe[260] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\RunDll32.exe[260] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\RunDll32.exe[260] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\RunDll32.exe[260] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\RunDll32.exe[260] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\ctfmon.exe[284] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[284] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\ctfmon.exe[284] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[284] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\ctfmon.exe[284] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[284] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\ctfmon.exe[284] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[284] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\ctfmon.exe[284] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\ctfmon.exe[284] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[284] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\WINDOWS\system32\ctfmon.exe[284] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\ctfmon.exe[284] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\ctfmon.exe[284] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\ctfmon.exe[284] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\ctfmon.exe[284] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\ctfmon.exe[284] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\ctfmon.exe[284] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\ctfmon.exe[284] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] KERNEL32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] KERNEL32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[352] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text E:\programy\Unlocker\UnlockerAssistant.exe[408] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text E:\programy\Unlocker\UnlockerAssistant.exe[408] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text E:\programy\Unlocker\UnlockerAssistant.exe[408] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text E:\programy\Unlocker\UnlockerAssistant.exe[408] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text E:\programy\Unlocker\UnlockerAssistant.exe[408] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text E:\programy\Unlocker\UnlockerAssistant.exe[408] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text E:\programy\Unlocker\UnlockerAssistant.exe[408] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text E:\programy\Unlocker\UnlockerAssistant.exe[408] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text E:\programy\Unlocker\UnlockerAssistant.exe[408] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text E:\programy\Unlocker\UnlockerAssistant.exe[408] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text E:\programy\Unlocker\UnlockerAssistant.exe[408] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text E:\programy\Unlocker\UnlockerAssistant.exe[408] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text E:\programy\Unlocker\UnlockerAssistant.exe[408] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text E:\programy\Unlocker\UnlockerAssistant.exe[408] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text E:\programy\Unlocker\UnlockerAssistant.exe[408] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text E:\programy\Unlocker\UnlockerAssistant.exe[408] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text E:\programy\Unlocker\UnlockerAssistant.exe[408] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text E:\programy\Unlocker\UnlockerAssistant.exe[408] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text E:\programy\Unlocker\UnlockerAssistant.exe[408] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[576] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9B, 71] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, A7, 00] {ADC BYTE [EDI-0x59], 0x0} .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, A7, 00] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718A000A .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\TWCU.exe[608] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] KERNEL32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] KERNEL32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[700] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\csrss.exe[744] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\csrss.exe[744] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 10001D70 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\winlogon.exe[784] ntdll.dll!NtLockProductActivationKeys 7C90D4AE 5 Bytes JMP 10001000 C:\WINDOWS\system32\antiwpa.dll .text C:\WINDOWS\system32\winlogon.exe[784] USER32.dll!GetSystemMetrics 7E368F9C 5 Bytes JMP 10001018 C:\WINDOWS\system32\antiwpa.dll .text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\services.exe[832] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[832] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\WINDOWS\system32\services.exe[832] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\services.exe[832] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\services.exe[832] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\services.exe[832] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\services.exe[832] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\services.exe[832] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\services.exe[832] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\services.exe[832] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\services.exe[832] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7B, 71] {JNP 0x73} .text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [78, 71] {JS 0x73} .text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A2, 71] .text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [99, 71] .text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\WINDOWS\system32\lsass.exe[844] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7188000A .text C:\WINDOWS\system32\lsass.exe[844] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7182000A .text C:\WINDOWS\system32\lsass.exe[844] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7185000A .text C:\WINDOWS\system32\lsass.exe[844] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717F000A .text C:\WINDOWS\system32\lsass.exe[844] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718B000A .text C:\WINDOWS\system32\lsass.exe[844] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718E000A .text C:\WINDOWS\system32\lsass.exe[844] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7194000A .text C:\WINDOWS\system32\lsass.exe[844] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7191000A .text C:\WINDOWS\system32\Ati2evxx.exe[1012] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1012] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[1012] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1012] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[1012] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1012] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\Ati2evxx.exe[1012] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1012] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[1012] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\Ati2evxx.exe[1012] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1012] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[1012] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\Ati2evxx.exe[1012] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\Ati2evxx.exe[1012] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\Ati2evxx.exe[1012] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\Ati2evxx.exe[1012] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\Ati2evxx.exe[1012] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\Ati2evxx.exe[1012] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\Ati2evxx.exe[1012] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\WINDOWS\system32\Ati2evxx.exe[1012] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\WINDOWS\system32\Ati2evxx.exe[1012] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1032] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1032] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1032] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1032] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1032] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1032] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1032] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1032] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1032] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] KERNEL32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] KERNEL32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\Program Files\Round World\bin\utilRoundWorld.exe[1060] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1088] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1088] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1088] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1088] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1088] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1088] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1088] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1088] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1088] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1088] rpcss.dll!WhichService 76A64234 8 Bytes [D0, 3B, 01, 10, 90, 39, 01, ...] .text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\WINDOWS\system32\svchost.exe[1164] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1164] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1164] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1164] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1164] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1164] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1260] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00403580 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1260] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 004A2820 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9B, 71] .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718A000A .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\Program Files\Java\jre7\bin\jqs.exe[1316] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1364] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1364] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1364] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1364] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1364] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1364] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1364] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1364] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1364] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\TP-LINK\TL-WN321G\COMMON\RegistryWriter.exe[1464] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\Ati2evxx.exe[1480] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1480] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[1480] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1480] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[1480] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1480] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\Ati2evxx.exe[1480] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1480] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[1480] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\Ati2evxx.exe[1480] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1480] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[1480] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\Ati2evxx.exe[1480] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\Ati2evxx.exe[1480] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\Ati2evxx.exe[1480] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\Ati2evxx.exe[1480] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\Ati2evxx.exe[1480] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\Ati2evxx.exe[1480] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\Ati2evxx.exe[1480] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\WINDOWS\system32\Ati2evxx.exe[1480] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\WINDOWS\system32\Ati2evxx.exe[1480] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1520] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1520] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1520] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1520] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1520] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1520] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1520] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1520] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[1692] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1720] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1720] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1720] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1720] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[1720] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1720] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1720] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1720] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1720] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1720] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1720] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1720] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1720] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1720] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1720] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1720] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\Explorer.EXE[1728] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1728] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\Explorer.EXE[1728] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1728] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\Explorer.EXE[1728] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1728] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\Explorer.EXE[1728] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1728] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\Explorer.EXE[1728] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\Explorer.EXE[1728] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1728] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\WINDOWS\Explorer.EXE[1728] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\WINDOWS\Explorer.EXE[1728] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\WINDOWS\Explorer.EXE[1728] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\Explorer.EXE[1728] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\Explorer.EXE[1728] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\Explorer.EXE[1728] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\Explorer.EXE[1728] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\Explorer.EXE[1728] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\Explorer.EXE[1728] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\Explorer.EXE[1728] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\Explorer.EXE[1728] SHELL32.dll!SHFileOperationW 7CA70B68 5 Bytes JMP 023C1102 E:\programy\Unlocker\UnlockerHook.dll .text C:\WINDOWS\system32\spoolsv.exe[1816] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1816] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\spoolsv.exe[1816] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1816] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\spoolsv.exe[1816] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1816] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1816] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1816] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\spoolsv.exe[1816] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\spoolsv.exe[1816] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1816] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\WINDOWS\system32\spoolsv.exe[1816] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\WINDOWS\system32\spoolsv.exe[1816] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\WINDOWS\system32\spoolsv.exe[1816] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\spoolsv.exe[1816] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\spoolsv.exe[1816] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\spoolsv.exe[1816] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\spoolsv.exe[1816] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\spoolsv.exe[1816] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\spoolsv.exe[1816] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\spoolsv.exe[1816] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9B, 71] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718A000A .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2080] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9B, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2376] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9B, 71] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718A000A .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\Program Files\uvnc bvba\UltraVNC\WinVNC.exe[2540] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0127F912 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 0127F652 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 0127F78A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 0127F68C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 018243A6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 0127FAB6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 018243F6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 009B908C C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 0180FD1D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 0180DDA1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] kernel32.dll!ValidateLocale + B138 7C844930 7 Bytes JMP 015B1FD5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 021FBF0A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 0180C315 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\Program Files\Mozilla Firefox\firefox.exe[2644] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\System32\alg.exe[2972] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2972] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\System32\alg.exe[2972] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2972] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [78, 71] {JS 0x73} .text C:\WINDOWS\System32\alg.exe[2972] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2972] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [75, 71] {JNZ 0x73} .text C:\WINDOWS\System32\alg.exe[2972] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2972] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A3, 71] .text C:\WINDOWS\System32\alg.exe[2972] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\alg.exe[2972] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2972] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [96, 71] .text C:\WINDOWS\System32\alg.exe[2972] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717F000A .text C:\WINDOWS\System32\alg.exe[2972] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7182000A .text C:\WINDOWS\System32\alg.exe[2972] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717C000A .text C:\WINDOWS\System32\alg.exe[2972] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7188000A .text C:\WINDOWS\System32\alg.exe[2972] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718B000A .text C:\WINDOWS\System32\alg.exe[2972] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7191000A .text C:\WINDOWS\System32\alg.exe[2972] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718E000A .text C:\WINDOWS\System32\alg.exe[2972] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\WINDOWS\System32\alg.exe[2972] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\WINDOWS\System32\alg.exe[2972] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7185000A .text C:\Program Files\Round World\updateRoundWorld.exe[3088] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Round World\updateRoundWorld.exe[3088] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Round World\updateRoundWorld.exe[3088] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Round World\updateRoundWorld.exe[3088] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\Round World\updateRoundWorld.exe[3088] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Round World\updateRoundWorld.exe[3088] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Round World\updateRoundWorld.exe[3088] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Round World\updateRoundWorld.exe[3088] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Round World\updateRoundWorld.exe[3088] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Round World\updateRoundWorld.exe[3088] KERNEL32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Round World\updateRoundWorld.exe[3088] KERNEL32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\Program Files\Round World\updateRoundWorld.exe[3088] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\Round World\updateRoundWorld.exe[3088] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\Round World\updateRoundWorld.exe[3088] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Program Files\Round World\updateRoundWorld.exe[3088] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Round World\updateRoundWorld.exe[3088] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Round World\updateRoundWorld.exe[3088] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Round World\updateRoundWorld.exe[3088] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Round World\updateRoundWorld.exe[3088] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\Program Files\Round World\updateRoundWorld.exe[3088] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\Program Files\Round World\updateRoundWorld.exe[3088] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3228] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00401210 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3228] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00401000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] USER32.dll!DefWindowProcA + 11A 7E37C298 7 Bytes JMP 01FB7DD5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] USER32.dll!SetWindowLongA + 19 7E37C2B6 7 Bytes JMP 01FB7EAA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 01FBA188 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3364] USER32.dll!GetMenuContextHelpId + 1A 7E3B5319 7 Bytes JMP 01FB8779 C:\Program Files\Mozilla Firefox\xul.dll .text E:\programy\Gmer\k025650u.exe[3860] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text E:\programy\Gmer\k025650u.exe[3860] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text E:\programy\Gmer\k025650u.exe[3860] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text E:\programy\Gmer\k025650u.exe[3860] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text E:\programy\Gmer\k025650u.exe[3860] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text E:\programy\Gmer\k025650u.exe[3860] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text E:\programy\Gmer\k025650u.exe[3860] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text E:\programy\Gmer\k025650u.exe[3860] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text E:\programy\Gmer\k025650u.exe[3860] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text E:\programy\Gmer\k025650u.exe[3860] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text E:\programy\Gmer\k025650u.exe[3860] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9E, 71] .text E:\programy\Gmer\k025650u.exe[3860] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text E:\programy\Gmer\k025650u.exe[3860] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text E:\programy\Gmer\k025650u.exe[3860] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text E:\programy\Gmer\k025650u.exe[3860] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text E:\programy\Gmer\k025650u.exe[3860] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text E:\programy\Gmer\k025650u.exe[3860] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text E:\programy\Gmer\k025650u.exe[3860] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text E:\programy\Gmer\k025650u.exe[3860] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [80, 57, 01, 10] {ADC BYTE [EDI+0x1], 0x10} .text E:\programy\Gmer\k025650u.exe[3860] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [10, 58, 01, 10] .text E:\programy\Gmer\k025650u.exe[3860] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] kernel32.dll!CreateProcessInternalW 7C8197B0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] kernel32.dll!CreateProcessInternalW + 4 7C8197B4 2 Bytes [9B, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3956] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip {237a87b5-881c-4fd8-b80a-c3b471ff75d7}t.sys AttachedDevice \Driver\Tcpip \Device\Tcp {237a87b5-881c-4fd8-b80a-c3b471ff75d7}t.sys AttachedDevice \Driver\Tcpip \Device\Udp {237a87b5-881c-4fd8-b80a-c3b471ff75d7}t.sys AttachedDevice \Driver\Tcpip \Device\RawIp {237a87b5-881c-4fd8-b80a-c3b471ff75d7}t.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- Files - GMER 2.1 ---- File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{9DAB7BED-2A7E-473E-B362-FBB3C8746B5E} 81648 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{667A6378-EE09-45C2-B1A5-C5800EBB8E69} 285424 bytes executable File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{CCE705BD-D0DA-4968-AE51-2F35C2AA89B6} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{8E2CC2BE-55FB-4C0E-9B48-2F3A64204BA7} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{38D9E205-E5B6-4343-AD31-259389A34D2C} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{E8EA3F3A-DA86-4A82-A723-FFD109EE9DAE} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{00B34C12-9A7A-46A9-BD8A-6A20FA8A35BF} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{7BE69ABC-DD34-4BAE-9221-968BE55A162F} 81648 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{7EEF82D2-2E61-400C-AF30-9AA1E548A028} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{E4EAAB3C-4EAC-40B7-BEA4-9B5E03365B0F} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{2F9C7D9F-940D-4565-ACA3-9F3015250C4F} 81648 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{A4AB18F3-075A-402D-A351-C0219149171B} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{62B32621-D393-4C24-A50B-05F3DF2C7846} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{1F6DEF90-6F26-49B8-8DF7-234EFC21C496} 81648 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{DEE51F27-A2F9-416B-8E79-A2B5F83851D3} 285424 bytes executable File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{C4FB02D7-34A0-4281-BBA6-54A4C2F224E9} 81648 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{92C670B7-F32A-4B32-97EC-F9E43C666BBB} 285424 bytes executable File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{83967970-4993-41C1-8A9A-ADF76F3ED276} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{5C3B9AB1-21FA-48A0-9F20-B29EB569C185} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{6B140930-FFAB-4647-8CB7-C0687F148E9F} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{55949BF1-AAE6-4543-A8E4-7DA4ADCC4F1B} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{73269CB6-4EEB-4EE9-9B3A-AAE3501349E4} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{D827367F-EC74-4195-98D7-4E678A2D6AB5} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{D845DF03-F738-4D82-84BD-787AB19ABAF5} 285424 bytes executable File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{09FB1E4C-60B4-458A-9B0C-4E99923BF29E} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{0F8666B1-EF2B-4A01-8F57-D59EAFD7D14A} 81648 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{FF2AD165-4610-4580-BC80-744D0E07038B} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{153DFDA6-5D42-4EA8-BC61-51E5F0FEC6AC} 81648 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{9DE57566-A43D-47E7-8436-18F7E471C708} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{7D37464E-7AA2-484B-9873-C4CD6CD5A58B} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{73C7930C-BAE8-4AAE-8274-B9B8725E90A1} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{C35FE1F1-ED49-4A11-B033-B85B995AEE5D} 81648 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{327E110F-9F4E-4350-8A95-AA1C1FE70196} 285424 bytes executable File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{F28027EC-949F-44D2-9E5A-91D5E099E017} 285424 bytes executable File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{829958B8-E63B-4311-952A-1A79F09051FF} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{CCBB241C-91F6-4CEB-87E6-23D4236CC313} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{C7A29B8B-C54E-449D-8D49-2768FA6AD341} 81648 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{76253087-A452-4E02-A9A9-223CF654723C} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{29DE9F09-6C1A-4DAF-9CD4-3046AAC3817D} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{7CB87ADA-C122-4559-BFAE-159FAF66BEBA} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{B0E3916C-3E60-4394-812E-13E65EAA3447} 81648 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{CD459087-2990-49F2-97B1-3F975964D857} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{75DF9530-D0F7-45E7-A378-6000A239BBCF} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{3EAFFECB-1DD5-429F-863C-EFBBEEAA7BEE} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{0DDD7DF7-64A3-455C-97F5-AE45A4BC0E62} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{60BBF92F-5C2A-4DAB-BF2A-73D7AE7C5120} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{7A84B62C-81B9-4FD8-B297-0199D1034191} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{B3EC8034-8C20-41C3-8B7C-AA3D37C88604} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{D671ECCB-DB34-495F-8F40-D1307C0837DE} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{09303A81-B5DF-468D-B9D0-63292A791B1A} 81648 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{9A15CE57-E665-4EBD-ACC1-0B40225C9C3C} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{4F052B94-8E50-4CE0-B8B0-9E88F4F7CB98} 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Comodo\Cis\Quarantine\data\{6C45879A-57B2-4159-A17D-3565989CB755} 0 bytes ---- EOF - GMER 2.1 ----