GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-28 21:02:55 Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD502HI rev.1AG01118 465,76GB Running: tde2234b.exe; Driver: C:\Users\Joanna\AppData\Local\Temp\uwtciuog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x9094E9FE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x9094EBF2] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwConnectPort [0x9094DCAE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateFile [0x9094E62C] SSDT 8C39081E ZwCreateSection SSDT 8C3907F6 ZwCreateSymbolicLinkObject SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThread [0x9094D658] SSDT 8C3907FB ZwLoadDriver SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x9094DF92] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenFile [0x9094E824] SSDT 8C3907F1 ZwOpenSection SSDT 8C390828 ZwRequestWaitReplyPort SSDT 8C390823 ZwSetContextThread SSDT 8C39082D ZwSetSecurityObject SSDT 8C390800 ZwSetSystemInformation SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x9094DEFC] SSDT 8C390832 ZwSystemDebugControl SSDT 8C3907BF ZwTerminateProcess SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateThread [0x9094D85C] SSDT 8C3907BA ZwWriteVirtualMemory SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThreadEx [0x9094EE3C] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetTimerEx + 34C 8350A970 4 Bytes [FE, E9, 94, 90] .text ntkrnlpa.exe!KeSetTimerEx + 370 8350A994 4 Bytes [F2, EB, 94, 90] {JMP 0xffffff97; NOP } .text ntkrnlpa.exe!KeSetTimerEx + 3F4 8350AA18 4 Bytes [AE, DC, 94, 90] .text ntkrnlpa.exe!KeSetTimerEx + 40C 8350AA30 4 Bytes [2C, E6, 94, 90] {SUB AL, 0xe6; XCHG ESP, EAX; NOP } .text ntkrnlpa.exe!KeSetTimerEx + 448 8350AA6C 4 Bytes [1E, 08, 39, 8C] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Windows\Explorer.EXE[196] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\Explorer.EXE[196] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[196] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\Explorer.EXE[196] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[196] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\Explorer.EXE[196] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\Explorer.EXE[196] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\Explorer.EXE[196] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\Explorer.EXE[196] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\Explorer.EXE[196] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\Explorer.EXE[196] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[196] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\Explorer.EXE[196] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\Explorer.EXE[196] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\Explorer.EXE[196] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\Explorer.EXE[196] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\Explorer.EXE[196] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\Explorer.EXE[196] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\services.exe[624] services.exe 000D1628 4 Bytes [40, 5A, 01, 10] {INC EAX; POP EDX; ADD [EAX], EDX} .text C:\Windows\system32\services.exe[624] services.exe 000D1638 4 Bytes [20, 5E, 01, 10] .text C:\Windows\system32\services.exe[624] services.exe 000D1658 4 Bytes [A0, 57, 01, 10] .text C:\Windows\system32\services.exe[624] services.exe 000D1668 4 Bytes [40, 5C, 01, 10] {INC EAX; POP ESP; ADD [EAX], EDX} .text C:\Windows\system32\services.exe[624] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\services.exe[624] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[624] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\services.exe[624] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[624] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\services.exe[624] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\services.exe[624] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\services.exe[624] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\services.exe[624] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\services.exe[624] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\services.exe[624] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\services.exe[624] RPCRT4.dll!RpcServerRegisterIfEx 7672CBA4 6 Bytes JMP 7190000A .text C:\Windows\system32\services.exe[624] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 717E000A .text C:\Windows\system32\services.exe[624] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717B000A .text C:\Windows\system32\services.exe[624] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7181000A .text C:\Windows\system32\services.exe[624] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7184000A .text C:\Windows\system32\services.exe[624] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 718D000A .text C:\Windows\system32\services.exe[624] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718A000A .text C:\Windows\system32\services.exe[624] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 7187000A .text C:\Windows\system32\lsass.exe[636] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsass.exe[636] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[636] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsass.exe[636] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[636] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\lsass.exe[636] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\lsass.exe[636] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\lsass.exe[636] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\lsass.exe[636] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\lsass.exe[636] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\lsass.exe[636] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\lsass.exe[636] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\system32\lsass.exe[636] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\system32\lsass.exe[636] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\lsass.exe[636] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\lsass.exe[636] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\lsass.exe[636] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\lsass.exe[636] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\lsm.exe[644] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsm.exe[644] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[644] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsm.exe[644] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[644] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\lsm.exe[644] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\lsm.exe[644] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\lsm.exe[644] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\lsm.exe[644] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\lsm.exe[644] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\lsm.exe[644] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\lsm.exe[644] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\system32\lsm.exe[644] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\system32\lsm.exe[644] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\lsm.exe[644] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\lsm.exe[644] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\lsm.exe[644] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\lsm.exe[644] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\SearchProtocolHost.exe[688] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchProtocolHost.exe[688] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchProtocolHost.exe[688] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\SearchProtocolHost.exe[688] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchProtocolHost.exe[688] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\SearchProtocolHost.exe[688] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\SearchProtocolHost.exe[688] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchProtocolHost.exe[688] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\SearchProtocolHost.exe[688] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchProtocolHost.exe[688] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\SearchProtocolHost.exe[688] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchProtocolHost.exe[688] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\system32\SearchProtocolHost.exe[688] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchProtocolHost.exe[688] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\SearchProtocolHost.exe[688] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\SearchProtocolHost.exe[688] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\SearchProtocolHost.exe[688] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\SearchProtocolHost.exe[688] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[828] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[828] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[828] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[828] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[828] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[828] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[828] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[828] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[828] RPCRT4.dll!RpcServerRegisterIfEx 7672CBA4 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[828] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[828] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[828] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[828] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[828] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[828] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[828] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 7187000A .text C:\Windows\system32\nvvsvc.exe[896] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\nvvsvc.exe[896] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[896] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\nvvsvc.exe[896] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[896] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\nvvsvc.exe[896] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\nvvsvc.exe[896] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\nvvsvc.exe[896] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\nvvsvc.exe[896] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\nvvsvc.exe[896] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\nvvsvc.exe[896] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\nvvsvc.exe[896] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\nvvsvc.exe[896] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\nvvsvc.exe[896] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\nvvsvc.exe[896] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\nvvsvc.exe[896] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\system32\nvvsvc.exe[896] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\system32\nvvsvc.exe[896] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[908] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[944] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[944] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[944] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[944] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[944] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[944] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[944] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[944] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[944] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[944] RPCRT4.dll!RpcServerRegisterIfEx 7672CBA4 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[944] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[944] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[944] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[944] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[944] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[944] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[944] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[944] rpcss.dll!WhichService 752B4384 8 Bytes [80, 4F, 01, 10, 40, 4D, 01, ...] {OR BYTE [EDI+0x1], 0x10; INC EAX; DEC EBP; ADD [EAX], EDX} .text C:\Windows\system32\svchost.exe[1004] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1004] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1004] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1004] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1004] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1004] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1004] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1004] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1004] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1004] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1004] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1004] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1004] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1004] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1004] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1112] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1112] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1112] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1112] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1112] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1112] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1112] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1112] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1112] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1112] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1140] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1140] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1140] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1140] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1140] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1140] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1140] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1140] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\System32\svchost.exe[1140] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1140] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1140] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1140] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1140] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1140] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1140] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1140] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1140] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1140] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1156] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1156] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1156] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1156] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1156] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1156] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1156] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1156] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1156] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1156] RPCRT4.dll!RpcServerRegisterIfEx 7672CBA4 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1156] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1156] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1156] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1156] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1156] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1156] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1156] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 7187000A .text C:\Windows\system32\AUDIODG.EXE[1280] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A7001E .text C:\Windows\system32\AUDIODG.EXE[1280] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[1280] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\AUDIODG.EXE[1280] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[1280] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\AUDIODG.EXE[1280] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719E001E .text C:\Windows\system32\AUDIODG.EXE[1280] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719B001E .text C:\Windows\system32\AUDIODG.EXE[1280] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\AUDIODG.EXE[1280] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7192001E .text C:\Windows\system32\AUDIODG.EXE[1280] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7198001E .text C:\Windows\system32\AUDIODG.EXE[1280] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7195001E .text C:\Windows\system32\AUDIODG.EXE[1280] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7186001E .text C:\Windows\system32\AUDIODG.EXE[1280] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 718F001E .text C:\Windows\system32\AUDIODG.EXE[1280] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718C001E .text C:\Windows\system32\AUDIODG.EXE[1280] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 7189001E .text C:\Windows\system32\AUDIODG.EXE[1280] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7180001E .text C:\Windows\system32\AUDIODG.EXE[1280] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717D001E .text C:\Windows\system32\AUDIODG.EXE[1280] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7183001E .text C:\Windows\system32\svchost.exe[1308] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1308] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1308] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1308] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1308] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1308] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1308] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1308] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1308] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1392] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1392] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1392] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1392] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1392] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1392] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1392] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1392] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[1392] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1392] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1392] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1392] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1392] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1392] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1392] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1392] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1392] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1392] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1540] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\nvvsvc.exe[1548] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\nvvsvc.exe[1548] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1548] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\nvvsvc.exe[1548] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1548] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\nvvsvc.exe[1548] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\nvvsvc.exe[1548] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\nvvsvc.exe[1548] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\nvvsvc.exe[1548] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\nvvsvc.exe[1548] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\nvvsvc.exe[1548] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\nvvsvc.exe[1548] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\nvvsvc.exe[1548] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\nvvsvc.exe[1548] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\nvvsvc.exe[1548] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\nvvsvc.exe[1548] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\system32\nvvsvc.exe[1548] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\system32\nvvsvc.exe[1548] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[1608] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1684] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\System32\spoolsv.exe[1876] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\System32\spoolsv.exe[1876] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1876] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\spoolsv.exe[1876] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1876] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\System32\spoolsv.exe[1876] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\System32\spoolsv.exe[1876] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\System32\spoolsv.exe[1876] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\System32\spoolsv.exe[1876] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\System32\spoolsv.exe[1876] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\System32\spoolsv.exe[1876] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\System32\spoolsv.exe[1876] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\System32\spoolsv.exe[1876] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\System32\spoolsv.exe[1876] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\System32\spoolsv.exe[1876] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\System32\spoolsv.exe[1876] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\System32\spoolsv.exe[1876] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\System32\spoolsv.exe[1876] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\Dwm.exe[1884] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\Dwm.exe[1884] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1884] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [78, 71] {JS 0x73} .text C:\Windows\system32\Dwm.exe[1884] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1884] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\Dwm.exe[1884] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\Dwm.exe[1884] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\Dwm.exe[1884] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\Dwm.exe[1884] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\Dwm.exe[1884] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\Dwm.exe[1884] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\Dwm.exe[1884] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\Dwm.exe[1884] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\Dwm.exe[1884] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\Dwm.exe[1884] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\Dwm.exe[1884] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 717F000A .text C:\Windows\system32\Dwm.exe[1884] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717C000A .text C:\Windows\system32\Dwm.exe[1884] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\taskeng.exe[1892] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskeng.exe[1892] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1892] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskeng.exe[1892] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1892] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\taskeng.exe[1892] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\taskeng.exe[1892] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\taskeng.exe[1892] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\taskeng.exe[1892] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\taskeng.exe[1892] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\taskeng.exe[1892] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\taskeng.exe[1892] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\system32\taskeng.exe[1892] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\system32\taskeng.exe[1892] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\taskeng.exe[1892] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\taskeng.exe[1892] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\taskeng.exe[1892] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\taskeng.exe[1892] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1916] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1940] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1940] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1940] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1940] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1940] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1940] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1940] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1940] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[1940] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1940] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1940] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1940] RPCRT4.dll!RpcServerRegisterIfEx 7672CBA4 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1940] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1940] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1940] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1940] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1940] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1940] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1940] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 7187000A .text C:\Windows\system32\lxdxcoms.exe[2160] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\lxdxcoms.exe[2160] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lxdxcoms.exe[2160] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lxdxcoms.exe[2160] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lxdxcoms.exe[2160] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\lxdxcoms.exe[2160] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\lxdxcoms.exe[2160] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\lxdxcoms.exe[2160] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\lxdxcoms.exe[2160] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\system32\lxdxcoms.exe[2160] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\system32\lxdxcoms.exe[2160] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\lxdxcoms.exe[2160] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\lxdxcoms.exe[2160] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\lxdxcoms.exe[2160] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\lxdxcoms.exe[2160] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\lxdxcoms.exe[2160] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\lxdxcoms.exe[2160] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\lxdxcoms.exe[2160] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe[2268] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[2360] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[2360] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2360] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[2360] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2360] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2360] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[2360] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[2360] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[2360] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[2360] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[2360] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[2360] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[2360] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[2360] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[2360] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[2360] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[2360] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[2360] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[2380] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[2380] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2380] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[2380] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2380] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2380] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[2380] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[2380] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\svchost.exe[2380] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[2380] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[2380] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[2380] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[2380] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[2380] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[2380] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[2380] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[2380] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[2380] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\taskeng.exe[2400] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskeng.exe[2400] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2400] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskeng.exe[2400] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2400] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\taskeng.exe[2400] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\taskeng.exe[2400] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\taskeng.exe[2400] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\taskeng.exe[2400] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\taskeng.exe[2400] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\taskeng.exe[2400] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\taskeng.exe[2400] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\system32\taskeng.exe[2400] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\system32\taskeng.exe[2400] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\taskeng.exe[2400] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\taskeng.exe[2400] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\taskeng.exe[2400] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\taskeng.exe[2400] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[2428] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[2428] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[2428] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[2428] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[2428] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[2428] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[2428] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[2428] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\System32\svchost.exe[2428] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[2428] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[2428] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[2428] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[2428] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[2428] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[2428] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[2428] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[2428] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[2428] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\SearchIndexer.exe[2508] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchIndexer.exe[2508] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2508] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\SearchIndexer.exe[2508] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2508] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\SearchIndexer.exe[2508] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\SearchIndexer.exe[2508] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchIndexer.exe[2508] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\SearchIndexer.exe[2508] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchIndexer.exe[2508] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\SearchIndexer.exe[2508] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchIndexer.exe[2508] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\system32\SearchIndexer.exe[2508] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchIndexer.exe[2508] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\SearchIndexer.exe[2508] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\SearchIndexer.exe[2508] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\SearchIndexer.exe[2508] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\SearchIndexer.exe[2508] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] KERNEL32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] KERNEL32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] KERNEL32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe[2564] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\ehome\ehmsas.exe[2752] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\ehome\ehmsas.exe[2752] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\ehome\ehmsas.exe[2752] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\ehome\ehmsas.exe[2752] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\ehome\ehmsas.exe[2752] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\ehome\ehmsas.exe[2752] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\ehome\ehmsas.exe[2752] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\ehome\ehmsas.exe[2752] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\ehome\ehmsas.exe[2752] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\ehome\ehmsas.exe[2752] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\ehome\ehmsas.exe[2752] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\ehome\ehmsas.exe[2752] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\ehome\ehmsas.exe[2752] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\ehome\ehmsas.exe[2752] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\ehome\ehmsas.exe[2752] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\ehome\ehmsas.exe[2752] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\ehome\ehmsas.exe[2752] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\ehome\ehmsas.exe[2752] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\CCleaner\CCleaner.exe[2756] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\CCleaner\CCleaner.exe[2756] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\CCleaner\CCleaner.exe[2756] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\CCleaner\CCleaner.exe[2756] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\CCleaner\CCleaner.exe[2756] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\CCleaner\CCleaner.exe[2756] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\CCleaner\CCleaner.exe[2756] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\CCleaner\CCleaner.exe[2756] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\CCleaner\CCleaner.exe[2756] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\CCleaner\CCleaner.exe[2756] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\CCleaner\CCleaner.exe[2756] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Program Files\CCleaner\CCleaner.exe[2756] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 717B000A .text C:\Program Files\CCleaner\CCleaner.exe[2756] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 7178000A .text C:\Program Files\CCleaner\CCleaner.exe[2756] USER32.dll!GetScrollPos 775DC090 5 Bytes JMP 00329AC2 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2756] USER32.dll!GetScrollRange 775DC33B 5 Bytes JMP 00329A8A C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2756] USER32.dll!SetScrollRange 775DE173 5 Bytes JMP 00329B54 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2756] USER32.dll!GetScrollInfo 775E0804 5 Bytes JMP 00329AE7 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2756] USER32.dll!ShowScrollBar 775E0E7C 5 Bytes JMP 00329B1A C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2756] USER32.dll!SetScrollInfo 775E8663 5 Bytes JMP 00329B8B C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2756] USER32.dll!EnableScrollBar 775FB11E 5 Bytes JMP 00329BBF C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2756] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 717E000A .text C:\Program Files\CCleaner\CCleaner.exe[2756] USER32.dll!SetScrollPos 77603A1E 5 Bytes JMP 00329A65 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[2756] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7181000A .text C:\Program Files\CCleaner\CCleaner.exe[2756] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\CCleaner\CCleaner.exe[2756] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\CCleaner\CCleaner.exe[2756] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\WUDFHost.exe[2816] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\WUDFHost.exe[2816] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[2816] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\WUDFHost.exe[2816] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\WUDFHost.exe[2816] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\WUDFHost.exe[2816] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\WUDFHost.exe[2816] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\WUDFHost.exe[2816] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\WUDFHost.exe[2816] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\WUDFHost.exe[2816] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\WUDFHost.exe[2816] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\WUDFHost.exe[2816] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\WUDFHost.exe[2816] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\WUDFHost.exe[2816] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\WUDFHost.exe[2816] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\WUDFHost.exe[2816] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\system32\WUDFHost.exe[2816] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\system32\WUDFHost.exe[2816] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\taskeng.exe[2900] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskeng.exe[2900] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2900] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskeng.exe[2900] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[2900] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\taskeng.exe[2900] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\taskeng.exe[2900] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\taskeng.exe[2900] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\taskeng.exe[2900] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\taskeng.exe[2900] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\taskeng.exe[2900] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\system32\taskeng.exe[2900] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\system32\taskeng.exe[2900] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\system32\taskeng.exe[2900] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\taskeng.exe[2900] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\taskeng.exe[2900] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\taskeng.exe[2900] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\taskeng.exe[2900] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe[3116] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7181000A .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 717B000A .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 7178000A .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 717E000A .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe[3132] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3172] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [73, 71] {JAE 0x73} .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7181000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 717B000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 7177000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3188] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 717E000A .text C:\Windows\ehome\ehtray.exe[3224] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\ehome\ehtray.exe[3224] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\ehome\ehtray.exe[3224] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\ehome\ehtray.exe[3224] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\ehome\ehtray.exe[3224] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\ehome\ehtray.exe[3224] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\ehome\ehtray.exe[3224] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\ehome\ehtray.exe[3224] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\ehome\ehtray.exe[3224] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\ehome\ehtray.exe[3224] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\ehome\ehtray.exe[3224] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\ehome\ehtray.exe[3224] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\ehome\ehtray.exe[3224] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\ehome\ehtray.exe[3224] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\ehome\ehtray.exe[3224] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\ehome\ehtray.exe[3224] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\ehome\ehtray.exe[3224] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\ehome\ehtray.exe[3224] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 717B000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3404] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 717E000A .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[3420] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\System32\mobsync.exe[3492] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\System32\mobsync.exe[3492] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\mobsync.exe[3492] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\mobsync.exe[3492] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\mobsync.exe[3492] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\System32\mobsync.exe[3492] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\System32\mobsync.exe[3492] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\System32\mobsync.exe[3492] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\System32\mobsync.exe[3492] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\System32\mobsync.exe[3492] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\System32\mobsync.exe[3492] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\System32\mobsync.exe[3492] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\System32\mobsync.exe[3492] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\System32\mobsync.exe[3492] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\System32\mobsync.exe[3492] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\System32\mobsync.exe[3492] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\System32\mobsync.exe[3492] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\System32\mobsync.exe[3492] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\wuauclt.exe[3796] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\system32\wuauclt.exe[3796] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wuauclt.exe[3796] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\wuauclt.exe[3796] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wuauclt.exe[3796] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\system32\wuauclt.exe[3796] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\system32\wuauclt.exe[3796] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\system32\wuauclt.exe[3796] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\system32\wuauclt.exe[3796] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\system32\wuauclt.exe[3796] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\system32\wuauclt.exe[3796] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\system32\wuauclt.exe[3796] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\system32\wuauclt.exe[3796] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\system32\wuauclt.exe[3796] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\system32\wuauclt.exe[3796] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Windows\system32\wuauclt.exe[3796] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\system32\wuauclt.exe[3796] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\system32\wuauclt.exe[3796] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe[3968] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] KERNEL32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] KERNEL32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] KERNEL32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\Avira\Launcher\Avira.Systray.exe[3976] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtCreateFile + 6 77927C7E 4 Bytes [28, 48, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtCreateFile + B 77927C83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtMapViewOfSection + 6 779283CE 4 Bytes [28, 4B, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtMapViewOfSection + B 779283D3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtOpenFile + 6 7792845E 4 Bytes [68, 48, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtOpenFile + B 77928463 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtOpenProcess + 6 779284DE 4 Bytes [A8, 49, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtOpenProcess + B 779284E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtOpenProcessToken + 6 779284EE 4 Bytes CALL 7692BC3C C:\Windows\system32\kernel32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtOpenProcessToken + B 779284F3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtOpenProcessTokenEx + 6 779284FE 4 Bytes [A8, 4A, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtOpenProcessTokenEx + B 77928503 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtOpenThread + 6 7792854E 4 Bytes [68, 49, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtOpenThread + B 77928553 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtOpenThreadToken + 6 7792855E 4 Bytes [68, 4A, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtOpenThreadToken + B 77928563 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtOpenThreadTokenEx + 6 7792856E 4 Bytes CALL 7692BCBD C:\Windows\system32\kernel32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtOpenThreadTokenEx + B 77928573 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtQueryAttributesFile + 6 779285FE 4 Bytes [A8, 48, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtQueryAttributesFile + B 77928603 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtQueryFullAttributesFile + 6 779286AE 4 Bytes CALL 7692BDFB C:\Windows\system32\kernel32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtQueryFullAttributesFile + B 779286B3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtSetInformationFile + 6 77928B8E 4 Bytes [28, 49, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtSetInformationFile + B 77928B93 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtSetInformationThread + 6 77928BDE 4 Bytes [28, 4A, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtSetInformationThread + B 77928BE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtUnmapViewOfSection + 6 77928E7E 4 Bytes [68, 4B, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ntdll.dll!NtUnmapViewOfSection + B 77928E83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4204] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] ntdll.dll!NtMapViewOfSection + 6 779283CE 4 Bytes [18, 20, E4, 73] {SBB [EAX], AH; IN AL, 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] ntdll.dll!NtMapViewOfSection + B 779283D3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4916] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Users\Joanna\Downloads\FRST.exe[5428] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Users\Joanna\Downloads\FRST.exe[5428] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Users\Joanna\Downloads\FRST.exe[5428] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Users\Joanna\Downloads\FRST.exe[5428] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Users\Joanna\Downloads\FRST.exe[5428] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Users\Joanna\Downloads\FRST.exe[5428] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Users\Joanna\Downloads\FRST.exe[5428] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Users\Joanna\Downloads\FRST.exe[5428] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Users\Joanna\Downloads\FRST.exe[5428] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Users\Joanna\Downloads\FRST.exe[5428] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Users\Joanna\Downloads\FRST.exe[5428] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Users\Joanna\Downloads\FRST.exe[5428] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Users\Joanna\Downloads\FRST.exe[5428] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Users\Joanna\Downloads\FRST.exe[5428] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Users\Joanna\Downloads\FRST.exe[5428] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Users\Joanna\Downloads\FRST.exe[5428] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Users\Joanna\Downloads\FRST.exe[5428] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Users\Joanna\Downloads\FRST.exe[5428] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Users\Joanna\Downloads\tde2234b.exe[5948] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!LdrUnloadDll 7790E5AC 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtAlpcSendWaitReceivePort 77927B18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77927B1C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtClose 77927BB8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtClose + 4 77927BBC 2 Bytes [AE, 71] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtCreateFile + 6 77927C7E 4 Bytes [28, 80, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtCreateFile + B 77927C83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtMapViewOfSection + 6 779283CE 4 Bytes [28, 83, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtMapViewOfSection + B 779283D3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtOpenFile + 6 7792845E 4 Bytes [68, 80, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtOpenFile + B 77928463 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtOpenProcess + 6 779284DE 4 Bytes [A8, 81, 33, 00] {TEST AL, 0x81; XOR EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtOpenProcess + B 779284E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtOpenProcessToken + 6 779284EE 4 Bytes CALL 7692B874 C:\Windows\system32\kernel32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtOpenProcessToken + B 779284F3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtOpenProcessTokenEx + 6 779284FE 4 Bytes [A8, 82, 33, 00] {TEST AL, 0x82; XOR EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtOpenProcessTokenEx + B 77928503 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtOpenThread + 6 7792854E 4 Bytes [68, 81, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtOpenThread + B 77928553 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtOpenThreadToken + 6 7792855E 4 Bytes [68, 82, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtOpenThreadToken + B 77928563 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtOpenThreadTokenEx + 6 7792856E 4 Bytes CALL 7692B8F5 C:\Windows\system32\kernel32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtOpenThreadTokenEx + B 77928573 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtQueryAttributesFile + 6 779285FE 4 Bytes [A8, 80, 33, 00] {TEST AL, 0x80; XOR EAX, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtQueryAttributesFile + B 77928603 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtQueryFullAttributesFile + 6 779286AE 4 Bytes CALL 7692BA33 C:\Windows\system32\kernel32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtQueryFullAttributesFile + B 779286B3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtSetInformationFile + 6 77928B8E 4 Bytes [28, 81, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtSetInformationFile + B 77928B93 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtSetInformationThread + 6 77928BDE 4 Bytes [28, 82, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtSetInformationThread + B 77928BE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtUnmapViewOfSection + 6 77928E7E 4 Bytes [68, 83, 33, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ntdll.dll!NtUnmapViewOfSection + B 77928E83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] kernel32.dll!CreateProcessW 768A1C01 6 Bytes JMP 719F000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] kernel32.dll!CreateProcessA 768A1C36 6 Bytes JMP 719C000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] kernel32.dll!GetConsoleScreenBufferInfoEx + 132 768C31BD 4 Bytes JMP 71AC000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ADVAPI32.dll!CreateProcessAsUserW 7768A8F5 6 Bytes JMP 7193000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ADVAPI32.dll!CreateProcessAsUserA 776D48A6 6 Bytes JMP 7199000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] ADVAPI32.dll!CreateProcessWithLogonW 776D86A9 6 Bytes JMP 7196000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] USER32.dll!SetWindowsHookExW 775D7B69 6 Bytes JMP 7181000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] USER32.dll!SetWinEventHook 775D915C 6 Bytes JMP 717E000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] USER32.dll!SetWindowsHookExA 775FBB0E 6 Bytes JMP 7184000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] GDI32.dll!DeleteDC 77A16A44 6 Bytes JMP 7187000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] GDI32.dll!CreateDCA 77A1AC01 6 Bytes JMP 7190000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] GDI32.dll!CreateDCW 77A1ADA5 6 Bytes JMP 718D000A .text C:\Program Files\Google\Chrome\Application\chrome.exe[6092] GDI32.dll!GetPixel 77A1CC58 6 Bytes JMP 718A000A ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[196] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74A58864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[196] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74A99855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[196] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74A5B984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[196] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74A4FB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[196] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74A57A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[196] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74A4EA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[196] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74A8B12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[196] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74A5BC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[196] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74A50756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[196] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74A506BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[196] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74A471B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[196] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74ADD9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[196] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74A77329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[196] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74A4E109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[196] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74A4697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[196] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74A469A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[196] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74A52475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys ---- Processes - GMER 2.1 ---- Process (*** hidden *** ) [4] 8597DD90 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- Files - GMER 2.1 ---- File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS001DE.log 131072 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS001DF.log 131072 bytes ---- EOF - GMER 2.1 ----