GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-24 18:01:40 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST9320325AS rev.0003SDM1 298,09GB Running: eh77uc4e.exe; Driver: C:\Users\MG\AppData\Local\Temp\pxldipow.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwAddBootEntry [0x8F646A10] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwAlpcConnectPort [0x8F646ED8] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwAlpcSendWaitReceivePort [0x8F649398] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwConnectPort [0x8F64822A] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwCreateSection [0x8F647E84] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwCreateThread [0x8F6479F0] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwCreateThreadEx [0x8F6472EA] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwDeleteBootEntry [0x8F646A7C] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwDeleteFile [0x8F6470B0] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwDeviceIoControlFile [0x8F646450] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwDuplicateObject [0x8F6466B4] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwFsControlFile [0x8F647050] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwImpersonateClientOfPort [0x8F647016] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwImpersonateThread [0x8F646FD4] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwLoadDriver [0x8F648DD8] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwMapViewOfSection [0x8F648C3C] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwModifyBootEntry [0x8F646A46] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwOpenProcess [0x8F648FA6] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwOpenSection [0x8F64792C] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwOpenThread [0x8F64811E] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwProtectVirtualMemory [0x8F647ACE] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwQueueApcThread [0x8F64650E] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwReplaceKey [0x8F646B9E] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwRequestWaitReplyPort [0x8F649264] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwRestoreKey [0x8F646AE8] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwSecureConnectPort [0x8F648314] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwSetBootOptions [0x8F646AB2] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwSetContextThread [0x8F646572] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwSetInformationFile [0x8F647114] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwSetSystemInformation [0x8F647D5C] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwShutdownSystem [0x8F6469C8] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwSystemDebugControl [0x8F6465E4] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwTerminateProcess [0x8F63D000] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwTerminateThread [0x8F63D023] SSDT \??\C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys ZwWriteVirtualMemory [0x8F648E92] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwReplaceKey + 1525 83C45B55 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83C7FBB2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 83C86FB0 4 Bytes [10, 6A, 64, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 83C86FE4 4 Bytes [D8, 6E, 64, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 83C87028 4 Bytes [98, 93, 64, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 83C87078 4 Bytes [2A, 82, 64, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 83C870DC 4 Bytes [84, 7E, 64, 8F] .text ... .hgjhgj1˙˙˙˙SpySheltentry point in ".hgjhgj1˙˙˙˙SpySheltentry point in "" section [0x8F702AA8] C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.sys entry point in ".hgjhgj1˙˙˙˙SpySheltentry point in "" section [0x8F702AA8] .ewrere1˙˙˙˙Spysheltentry point in ".ewrere1˙˙˙˙Spysheltentry point in "" section [0x91C77C2F] C:\Program Files\SpyShelter Free Anti-keylogger\SpyshelterKb.sys entry point in ".ewrere1˙˙˙˙Spysheltentry point in "" section [0x91C77C2F] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9B637000, 0x187DA6, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\svchost.exe[492] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[492] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[492] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[676] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[676] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[676] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[960] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[960] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[960] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelterSrv.exe[988] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelterSrv.exe[988] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelterSrv.exe[988] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\atiesrxx.exe[1124] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\atiesrxx.exe[1124] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\atiesrxx.exe[1124] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1228] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1228] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1228] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1264] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1264] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[1264] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1292] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1292] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1292] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtCreateFile 77A256B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtCreateFile + 4 77A256B4 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtDeleteValueKey 77A25930 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtDeleteValueKey + 4 77A25934 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtOpenFile 77A25DC0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtOpenFile + 4 77A25DC4 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtOpenProcess 77A25E70 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtOpenProcess + 4 77A25E74 2 Bytes [6E, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtSetContextThread 77A26650 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtSetContextThread + 4 77A26654 2 Bytes [6B, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtSetInformationFile 77A26720 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtSetInformationFile + 4 77A26724 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtSetValueKey 77A268F0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtSetValueKey + 4 77A268F4 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtSuspendThread 77A26980 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtSuspendThread + 4 77A26984 2 Bytes [65, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtTerminateThread 77A269C0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!NtTerminateThread + 4 77A269C4 2 Bytes [68, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!LdrUnloadDll 77A3CBCE 7 Bytes [B8, B3, 75, 16, 00, 50, C3] {MOV EAX, 0x1675b3; PUSH EAX; RET } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ntdll.dll!LdrLoadDll 77A42576 7 Bytes [B8, 05, 83, 16, 00, 50, C3] {MOV EAX, 0x168305; PUSH EAX; RET } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] KERNEL32.dll!TerminateProcess 76AC2D15 6 Bytes JMP 6FA52FC0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] KERNEL32.dll!CreateProcessInternalW 76AD08A2 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] KERNEL32.dll!CreateProcessInternalW + 4 76AD08A6 2 Bytes [62, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ADVAPI32.dll!CreateServiceW 7795714C 6 Bytes JMP 6FA521E0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ADVAPI32.dll!CreateServiceA 779733F4 6 Bytes JMP 6FA52100 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!SetWindowLongA 77788BA3 7 Bytes [B8, B7, 18, 16, 00, 50, C3] {MOV EAX, 0x1618b7; PUSH EAX; RET } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!GetAsyncKeyState 7778A256 11 Bytes [B8, E7, 75, 16, 00, 50, C3, ...] {MOV EAX, 0x1675e7; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!CallNextHookEx 7778ABE1 11 Bytes [B8, E2, 77, 16, 00, 50, C3, ...] {MOV EAX, 0x1677e2; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!SendMessageA 7778AD60 6 Bytes JMP 6FA51D70 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!PostMessageA 7778B446 6 Bytes JMP 6FA51EF0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!PostThreadMessageW + 80 7778EF7C 11 Bytes [B8, 61, 5D, 16, 00, 50, C3, ...] {MOV EAX, 0x165d61; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!GetMessageA 77791899 8 Bytes [B8, 45, 1D, 16, 00, 50, C3, ...] {MOV EAX, 0x161d45; PUSH EAX; RET ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!PeekMessageA 777919A5 7 Bytes [B8, D5, 1D, 16, 00, 50, C3] {MOV EAX, 0x161dd5; PUSH EAX; RET } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!PtInRect + B2 77792444 8 Bytes [B8, 96, 5B, 16, 00, 50, C3, ...] {MOV EAX, 0x165b96; PUSH EAX; RET ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!GetKeyState 77792B4D 11 Bytes [B8, 94, 76, 16, 00, 50, C3, ...] {MOV EAX, 0x167694; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!SetWindowLongW 77794449 7 Bytes [B8, DD, 18, 16, 00, 50, C3] {MOV EAX, 0x1618dd; PUSH EAX; RET } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!PostMessageW 7779447B 6 Bytes JMP 6FA51FB0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!SendMessageW 77795539 6 Bytes JMP 6FA51E30 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!PeekMessageW 7779634A 7 Bytes [B8, 20, 1E, 16, 00, 50, C3] {MOV EAX, 0x161e20; PUSH EAX; RET } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!GetMessageW 7779CDE8 8 Bytes [B8, 8D, 1D, 16, 00, 50, C3, ...] {MOV EAX, 0x161d8d; PUSH EAX; RET ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!mouse_event 777A6209 6 Bytes JMP 6FA51C40 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!GetMessagePos + 66 777B6769 8 Bytes [B8, 44, 73, 16, 00, 50, C3, ...] {MOV EAX, 0x167344; PUSH EAX; RET ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!GetKeyboardState + 1 777B6947 3 Bytes [41, 77, 16] {INC ECX; JA 0x19} .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!GetKeyboardState + 5 777B694B 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!SendInput 777B7019 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!SendInput + 4 777B701D 2 Bytes [92, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!DdeConnectList + 64F 777CF4C0 8 Bytes [B8, E4, 58, 16, 00, 50, C3, ...] {MOV EAX, 0x1658e4; PUSH EAX; RET ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!EndTask 777CFD66 8 Bytes [B8, 4F, 19, 16, 00, 50, C3, ...] {MOV EAX, 0x16194f; PUSH EAX; RET ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!GetRawInputBuffer 777D7190 8 Bytes [B8, 7A, 56, 16, 00, 50, C3, ...] {MOV EAX, 0x16567a; PUSH EAX; RET ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!keybd_event 777DEC3B 6 Bytes JMP 6FA51CA0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!GetRawInputData + 1 777E4C22 3 Bytes [DD, 55, 16] {FST QWORD [EBP+0x16]} .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] USER32.dll!GetRawInputData + 5 777E4C26 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ole32.dll!CoGetClassObject 76FF54AD 10 Bytes [B8, D7, 69, 16, 00, 50, C3, ...] {MOV EAX, 0x1669d7; PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ole32.dll!CoCreateInstance 77009D0B 8 Bytes [B8, 53, 86, 16, 00, 50, C3, ...] {MOV EAX, 0x168653; PUSH EAX; RET ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1348] ole32.dll!CoCreateInstanceEx 77009D4E 9 Bytes [B8, B1, 69, 16, 00, 50, C3, ...] {MOV EAX, 0x1669b1; PUSH EAX; RET ; NOP ; NOP } .text C:\Windows\system32\svchost.exe[1356] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1356] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1356] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1480] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1480] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[1480] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtCreateFile 77A256B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtCreateFile + 4 77A256B4 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtDeleteValueKey 77A25930 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtDeleteValueKey + 4 77A25934 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtOpenFile 77A25DC0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtOpenFile + 4 77A25DC4 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtOpenProcess 77A25E70 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtOpenProcess + 4 77A25E74 2 Bytes [6E, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtSetContextThread 77A26650 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtSetContextThread + 4 77A26654 2 Bytes [6B, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtSetInformationFile 77A26720 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtSetInformationFile + 4 77A26724 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtSetValueKey 77A268F0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtSetValueKey + 4 77A268F4 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtSuspendThread 77A26980 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtSuspendThread + 4 77A26984 2 Bytes [65, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtTerminateThread 77A269C0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!NtTerminateThread + 4 77A269C4 2 Bytes [68, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!LdrUnloadDll 77A3CBCE 7 Bytes [B8, B3, 75, 16, 00, 50, C3] {MOV EAX, 0x1675b3; PUSH EAX; RET } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ntdll.dll!LdrLoadDll 77A42576 7 Bytes [B8, 05, 83, 16, 00, 50, C3] {MOV EAX, 0x168305; PUSH EAX; RET } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] KERNEL32.dll!TerminateProcess 76AC2D15 6 Bytes JMP 6FA52FC0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] KERNEL32.dll!CreateProcessInternalW 76AD08A2 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] KERNEL32.dll!CreateProcessInternalW + 4 76AD08A6 2 Bytes [62, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ole32.dll!CoGetClassObject 76FF54AD 10 Bytes [B8, D7, 69, 16, 00, 50, C3, ...] {MOV EAX, 0x1669d7; PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ole32.dll!CoCreateInstance 77009D0B 8 Bytes [B8, 53, 86, 16, 00, 50, C3, ...] {MOV EAX, 0x168653; PUSH EAX; RET ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ole32.dll!CoCreateInstanceEx 77009D4E 9 Bytes [B8, B1, 69, 16, 00, 50, C3, ...] {MOV EAX, 0x1669b1; PUSH EAX; RET ; NOP ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!SetWindowLongA 77788BA3 7 Bytes [B8, B7, 18, 16, 00, 50, C3] {MOV EAX, 0x1618b7; PUSH EAX; RET } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!GetAsyncKeyState 7778A256 11 Bytes [B8, E7, 75, 16, 00, 50, C3, ...] {MOV EAX, 0x1675e7; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!CallNextHookEx 7778ABE1 11 Bytes [B8, E2, 77, 16, 00, 50, C3, ...] {MOV EAX, 0x1677e2; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!SendMessageA 7778AD60 6 Bytes JMP 6FA51D70 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!PostMessageA 7778B446 6 Bytes JMP 6FA51EF0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!PostThreadMessageW + 80 7778EF7C 11 Bytes [B8, 61, 5D, 16, 00, 50, C3, ...] {MOV EAX, 0x165d61; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!GetMessageA 77791899 8 Bytes [B8, 45, 1D, 16, 00, 50, C3, ...] {MOV EAX, 0x161d45; PUSH EAX; RET ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!PeekMessageA 777919A5 7 Bytes [B8, D5, 1D, 16, 00, 50, C3] {MOV EAX, 0x161dd5; PUSH EAX; RET } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!PtInRect + B2 77792444 8 Bytes [B8, 96, 5B, 16, 00, 50, C3, ...] {MOV EAX, 0x165b96; PUSH EAX; RET ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!GetKeyState 77792B4D 11 Bytes [B8, 94, 76, 16, 00, 50, C3, ...] {MOV EAX, 0x167694; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!SetWindowLongW 77794449 7 Bytes [B8, DD, 18, 16, 00, 50, C3] {MOV EAX, 0x1618dd; PUSH EAX; RET } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!PostMessageW 7779447B 6 Bytes JMP 6FA51FB0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!SendMessageW 77795539 6 Bytes JMP 6FA51E30 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!PeekMessageW 7779634A 7 Bytes [B8, 20, 1E, 16, 00, 50, C3] {MOV EAX, 0x161e20; PUSH EAX; RET } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!GetMessageW 7779CDE8 8 Bytes [B8, 8D, 1D, 16, 00, 50, C3, ...] {MOV EAX, 0x161d8d; PUSH EAX; RET ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!mouse_event 777A6209 6 Bytes JMP 6FA51C40 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!GetMessagePos + 66 777B6769 8 Bytes [B8, 44, 73, 16, 00, 50, C3, ...] {MOV EAX, 0x167344; PUSH EAX; RET ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!GetKeyboardState + 1 777B6947 3 Bytes [41, 77, 16] {INC ECX; JA 0x19} .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!GetKeyboardState + 5 777B694B 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!SendInput 777B7019 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!SendInput + 4 777B701D 2 Bytes [92, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!DdeConnectList + 64F 777CF4C0 8 Bytes [B8, E4, 58, 16, 00, 50, C3, ...] {MOV EAX, 0x1658e4; PUSH EAX; RET ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!EndTask 777CFD66 8 Bytes [B8, 4F, 19, 16, 00, 50, C3, ...] {MOV EAX, 0x16194f; PUSH EAX; RET ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!GetRawInputBuffer 777D7190 8 Bytes [B8, 7A, 56, 16, 00, 50, C3, ...] {MOV EAX, 0x16567a; PUSH EAX; RET ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!keybd_event 777DEC3B 6 Bytes JMP 6FA51CA0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!GetRawInputData + 1 777E4C22 3 Bytes [DD, 55, 16] {FST QWORD [EBP+0x16]} .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] USER32.dll!GetRawInputData + 5 777E4C26 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ADVAPI32.dll!CreateServiceW 7795714C 6 Bytes JMP 6FA521E0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] ADVAPI32.dll!CreateServiceA 779733F4 6 Bytes JMP 6FA52100 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] WS2_32.dll!WSALookupServiceBeginW 7785575A 6 Bytes JMP 6FA51A10 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] WS2_32.dll!connect 77856BDD 6 Bytes JMP 6FA51860 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] WS2_32.dll!listen 7785B001 6 Bytes JMP 6FA51900 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe[1516] WS2_32.dll!WSAConnect 7785CC3F 6 Bytes JMP 6FA518B0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Sandboxie\SbieSvc.exe[1540] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Sandboxie\SbieSvc.exe[1540] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Sandboxie\SbieSvc.exe[1540] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\atieclxx.exe[1628] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\atieclxx.exe[1628] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\atieclxx.exe[1628] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtCreateFile 77A256B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtCreateFile + 4 77A256B4 2 Bytes [89, 71] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtDeleteValueKey 77A25930 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtDeleteValueKey + 4 77A25934 2 Bytes [8C, 71] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtOpenFile 77A25DC0 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtOpenFile + 4 77A25DC4 2 Bytes [86, 71] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtOpenProcess 77A25E70 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtOpenProcess + 4 77A25E74 2 Bytes [80, 71] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtSetContextThread 77A26650 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtSetContextThread + 4 77A26654 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtSetInformationFile 77A26720 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtSetInformationFile + 4 77A26724 2 Bytes [83, 71] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtSetValueKey 77A268F0 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtSetValueKey + 4 77A268F4 2 Bytes [8F, 71] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtSuspendThread 77A26980 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtSuspendThread + 4 77A26984 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtTerminateThread 77A269C0 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!NtTerminateThread + 4 77A269C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!LdrUnloadDll 77A3CBCE 7 Bytes [B8, B3, 75, 16, 00, 50, C3] {MOV EAX, 0x1675b3; PUSH EAX; RET } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ntdll.dll!LdrLoadDll 77A42576 7 Bytes [B8, 05, 83, 16, 00, 50, C3] {MOV EAX, 0x168305; PUSH EAX; RET } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] KERNEL32.dll!TerminateProcess 76AC2D15 6 Bytes JMP 6FA52FC0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] KERNEL32.dll!CreateProcessInternalW 76AD08A2 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] KERNEL32.dll!CreateProcessInternalW + 4 76AD08A6 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ole32.dll!CoGetClassObject 76FF54AD 10 Bytes [B8, D7, 69, 16, 00, 50, C3, ...] {MOV EAX, 0x1669d7; PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ole32.dll!CoCreateInstance 77009D0B 8 Bytes [B8, 53, 86, 16, 00, 50, C3, ...] {MOV EAX, 0x168653; PUSH EAX; RET ; NOP } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ole32.dll!CoCreateInstanceEx 77009D4E 9 Bytes [B8, B1, 69, 16, 00, 50, C3, ...] {MOV EAX, 0x1669b1; PUSH EAX; RET ; NOP ; NOP } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!SetWindowLongA 77788BA3 7 Bytes [B8, B7, 18, 16, 00, 50, C3] {MOV EAX, 0x1618b7; PUSH EAX; RET } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!GetAsyncKeyState 7778A256 11 Bytes [B8, E7, 75, 16, 00, 50, C3, ...] {MOV EAX, 0x1675e7; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!CallNextHookEx 7778ABE1 11 Bytes [B8, E2, 77, 16, 00, 50, C3, ...] {MOV EAX, 0x1677e2; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!SendMessageA 7778AD60 6 Bytes JMP 6FA51D70 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!PostMessageA 7778B446 6 Bytes JMP 6FA51EF0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!PostThreadMessageW + 80 7778EF7C 11 Bytes [B8, 61, 5D, 16, 00, 50, C3, ...] {MOV EAX, 0x165d61; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!GetMessageA 77791899 8 Bytes [B8, 45, 1D, 16, 00, 50, C3, ...] {MOV EAX, 0x161d45; PUSH EAX; RET ; NOP } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!PeekMessageA 777919A5 7 Bytes [B8, D5, 1D, 16, 00, 50, C3] {MOV EAX, 0x161dd5; PUSH EAX; RET } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!PtInRect + B2 77792444 8 Bytes [B8, 96, 5B, 16, 00, 50, C3, ...] {MOV EAX, 0x165b96; PUSH EAX; RET ; NOP } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!GetKeyState 77792B4D 11 Bytes [B8, 94, 76, 16, 00, 50, C3, ...] {MOV EAX, 0x167694; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!SetWindowLongW 77794449 7 Bytes [B8, DD, 18, 16, 00, 50, C3] {MOV EAX, 0x1618dd; PUSH EAX; RET } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!PostMessageW 7779447B 6 Bytes JMP 6FA51FB0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!SendMessageW 77795539 6 Bytes JMP 6FA51E30 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!PeekMessageW 7779634A 7 Bytes [B8, 20, 1E, 16, 00, 50, C3] {MOV EAX, 0x161e20; PUSH EAX; RET } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!GetMessageW 7779CDE8 8 Bytes [B8, 8D, 1D, 16, 00, 50, C3, ...] {MOV EAX, 0x161d8d; PUSH EAX; RET ; NOP } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!mouse_event 777A6209 6 Bytes JMP 6FA51C40 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!GetMessagePos + 66 777B6769 8 Bytes [B8, 44, 73, 16, 00, 50, C3, ...] {MOV EAX, 0x167344; PUSH EAX; RET ; NOP } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!GetKeyboardState + 1 777B6947 3 Bytes [41, 77, 16] {INC ECX; JA 0x19} .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!GetKeyboardState + 5 777B694B 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!SendInput 777B7019 3 Bytes [FF, 25, 1E] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!SendInput + 4 777B701D 2 Bytes [A4, 71] .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!DdeConnectList + 64F 777CF4C0 8 Bytes [B8, E4, 58, 16, 00, 50, C3, ...] {MOV EAX, 0x1658e4; PUSH EAX; RET ; NOP } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!EndTask 777CFD66 8 Bytes [B8, 4F, 19, 16, 00, 50, C3, ...] {MOV EAX, 0x16194f; PUSH EAX; RET ; NOP } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!GetRawInputBuffer 777D7190 8 Bytes [B8, 7A, 56, 16, 00, 50, C3, ...] {MOV EAX, 0x16567a; PUSH EAX; RET ; NOP } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!keybd_event 777DEC3B 6 Bytes JMP 6FA51CA0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!GetRawInputData + 1 777E4C22 3 Bytes [DD, 55, 16] {FST QWORD [EBP+0x16]} .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] USER32.dll!GetRawInputData + 5 777E4C26 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ADVAPI32.dll!CreateServiceW 7795714C 6 Bytes JMP 6FA521E0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\ASUS\ASUS Sonic Focus\SonicFocusTray.exe[1640] ADVAPI32.dll!CreateServiceA 779733F4 6 Bytes JMP 6FA52100 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1644] ntdll.dll!RtlFreeActivationContextStack + 44 77A0F5F6 7 Bytes JMP 090AB938 C:\Program Files\Emsisoft Anti-Malware\a2update.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1644] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1644] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1644] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1644] KERNEL32.dll!GetSystemInfo + B 76ACDDBD 7 Bytes JMP 090AB724 C:\Program Files\Emsisoft Anti-Malware\a2update.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1644] KERNEL32.dll!GetSystemTime + B 76ACEB5C 7 Bytes JMP 0904B5D0 C:\Program Files\Emsisoft Anti-Malware\a2update.dll .text C:\Windows\System32\spoolsv.exe[1688] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\spoolsv.exe[1688] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\spoolsv.exe[1688] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtCreateFile 77A256B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtCreateFile + 4 77A256B4 2 Bytes [89, 71] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtDeleteValueKey 77A25930 3 Bytes [FF, 25, 1E] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtDeleteValueKey + 4 77A25934 2 Bytes [8C, 71] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtOpenFile 77A25DC0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtOpenFile + 4 77A25DC4 2 Bytes [86, 71] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtOpenProcess 77A25E70 3 Bytes [FF, 25, 1E] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtOpenProcess + 4 77A25E74 2 Bytes [80, 71] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtSetContextThread 77A26650 3 Bytes [FF, 25, 1E] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtSetContextThread + 4 77A26654 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtSetInformationFile 77A26720 3 Bytes [FF, 25, 1E] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtSetInformationFile + 4 77A26724 2 Bytes [83, 71] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtSetValueKey 77A268F0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtSetValueKey + 4 77A268F4 2 Bytes [8F, 71] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtSuspendThread 77A26980 3 Bytes [FF, 25, 1E] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtSuspendThread + 4 77A26984 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtTerminateThread 77A269C0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!NtTerminateThread + 4 77A269C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!LdrUnloadDll 77A3CBCE 7 Bytes [B8, B3, 75, 06, 00, 50, C3] {MOV EAX, 0x675b3; PUSH EAX; RET } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ntdll.dll!LdrLoadDll 77A42576 7 Bytes [B8, 05, 83, 06, 00, 50, C3] {MOV EAX, 0x68305; PUSH EAX; RET } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] KERNEL32.dll!TerminateProcess 76AC2D15 6 Bytes JMP 6FA52FC0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] KERNEL32.dll!CreateProcessInternalW 76AD08A2 3 Bytes [FF, 25, 1E] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] KERNEL32.dll!CreateProcessInternalW + 4 76AD08A6 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!SetWindowLongA 77788BA3 7 Bytes [B8, B7, 18, 06, 00, 50, C3] {MOV EAX, 0x618b7; PUSH EAX; RET } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!GetAsyncKeyState 7778A256 11 Bytes [B8, E7, 75, 06, 00, 50, C3, ...] {MOV EAX, 0x675e7; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!CallNextHookEx 7778ABE1 11 Bytes [B8, E2, 77, 06, 00, 50, C3, ...] {MOV EAX, 0x677e2; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!SendMessageA 7778AD60 6 Bytes JMP 6FA51D70 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!PostMessageA 7778B446 6 Bytes JMP 6FA51EF0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!PostThreadMessageW + 80 7778EF7C 11 Bytes [B8, 61, 5D, 06, 00, 50, C3, ...] {MOV EAX, 0x65d61; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!GetMessageA 77791899 8 Bytes [B8, 45, 1D, 06, 00, 50, C3, ...] {MOV EAX, 0x61d45; PUSH EAX; RET ; NOP } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!PeekMessageA 777919A5 7 Bytes [B8, D5, 1D, 06, 00, 50, C3] {MOV EAX, 0x61dd5; PUSH EAX; RET } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!PtInRect + B2 77792444 8 Bytes [B8, 96, 5B, 06, 00, 50, C3, ...] {MOV EAX, 0x65b96; PUSH EAX; RET ; NOP } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!GetKeyState 77792B4D 11 Bytes [B8, 94, 76, 06, 00, 50, C3, ...] {MOV EAX, 0x67694; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!SetWindowLongW 77794449 7 Bytes [B8, DD, 18, 06, 00, 50, C3] {MOV EAX, 0x618dd; PUSH EAX; RET } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!PostMessageW 7779447B 6 Bytes JMP 6FA51FB0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!SendMessageW 77795539 6 Bytes JMP 6FA51E30 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!PeekMessageW 7779634A 7 Bytes [B8, 20, 1E, 06, 00, 50, C3] {MOV EAX, 0x61e20; PUSH EAX; RET } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!GetMessageW 7779CDE8 8 Bytes [B8, 8D, 1D, 06, 00, 50, C3, ...] {MOV EAX, 0x61d8d; PUSH EAX; RET ; NOP } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!mouse_event 777A6209 6 Bytes JMP 6FA51C40 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!GetMessagePos + 66 777B6769 8 Bytes [B8, 44, 73, 06, 00, 50, C3, ...] {MOV EAX, 0x67344; PUSH EAX; RET ; NOP } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!GetKeyboardState + 1 777B6947 3 Bytes [41, 77, 06] {INC ECX; JA 0x9} .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!GetKeyboardState + 5 777B694B 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!SendInput 777B7019 3 Bytes [FF, 25, 1E] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!SendInput + 4 777B701D 2 Bytes [A4, 71] .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!DdeConnectList + 64F 777CF4C0 8 Bytes [B8, E4, 58, 06, 00, 50, C3, ...] {MOV EAX, 0x658e4; PUSH EAX; RET ; NOP } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!EndTask 777CFD66 8 Bytes [B8, 4F, 19, 06, 00, 50, C3, ...] {MOV EAX, 0x6194f; PUSH EAX; RET ; NOP } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!GetRawInputBuffer 777D7190 8 Bytes [B8, 7A, 56, 06, 00, 50, C3, ...] {MOV EAX, 0x6567a; PUSH EAX; RET ; NOP } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!keybd_event 777DEC3B 6 Bytes JMP 6FA51CA0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!GetRawInputData + 1 777E4C22 3 Bytes [DD, 55, 06] {FST QWORD [EBP+0x6]} .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] USER32.dll!GetRawInputData + 5 777E4C26 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ole32.dll!CoGetClassObject 76FF54AD 10 Bytes [B8, D7, 69, 06, 00, 50, C3, ...] {MOV EAX, 0x669d7; PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ole32.dll!CoCreateInstance 77009D0B 8 Bytes [B8, 53, 86, 06, 00, 50, C3, ...] {MOV EAX, 0x68653; PUSH EAX; RET ; NOP } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] ole32.dll!CoCreateInstanceEx 77009D4E 9 Bytes [B8, B1, 69, 06, 00, 50, C3, ...] {MOV EAX, 0x669b1; PUSH EAX; RET ; NOP ; NOP } .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] advapi32.DLL!CreateServiceW 7795714C 6 Bytes JMP 6FA521E0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Sandboxie\SbieCtrl.exe[1740] advapi32.DLL!CreateServiceA 779733F4 6 Bytes JMP 6FA52100 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtCreateFile 77A256B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtCreateFile + 4 77A256B4 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtDeleteValueKey 77A25930 3 Bytes [FF, 25, 1E] .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtDeleteValueKey + 4 77A25934 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtOpenFile 77A25DC0 3 Bytes [FF, 25, 1E] .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtOpenFile + 4 77A25DC4 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtOpenProcess 77A25E70 3 Bytes [FF, 25, 1E] .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtOpenProcess + 4 77A25E74 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtSetContextThread 77A26650 3 Bytes [FF, 25, 1E] .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtSetContextThread + 4 77A26654 2 Bytes [6E, 71] .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtSetInformationFile 77A26720 3 Bytes [FF, 25, 1E] .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtSetInformationFile + 4 77A26724 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtSetValueKey 77A268F0 3 Bytes [FF, 25, 1E] .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtSetValueKey + 4 77A268F4 2 Bytes [80, 71] .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtSuspendThread 77A26980 3 Bytes [FF, 25, 1E] .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtSuspendThread + 4 77A26984 2 Bytes [68, 71] .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtTerminateThread 77A269C0 3 Bytes [FF, 25, 1E] .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!NtTerminateThread + 4 77A269C4 2 Bytes [6B, 71] .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!LdrUnloadDll 77A3CBCE 7 Bytes [B8, B3, 75, 06, 00, 50, C3] {MOV EAX, 0x675b3; PUSH EAX; RET } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ntdll.dll!LdrLoadDll 77A42576 7 Bytes [B8, 05, 83, 06, 00, 50, C3] {MOV EAX, 0x68305; PUSH EAX; RET } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] KERNEL32.dll!TerminateProcess 76AC2D15 6 Bytes JMP 6FA52FC0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] KERNEL32.dll!CreateProcessInternalW 76AD08A2 3 Bytes [FF, 25, 1E] .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] KERNEL32.dll!CreateProcessInternalW + 4 76AD08A6 2 Bytes [65, 71] .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!SetWindowLongA 77788BA3 7 Bytes [B8, B7, 18, 06, 00, 50, C3] {MOV EAX, 0x618b7; PUSH EAX; RET } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!GetAsyncKeyState 7778A256 11 Bytes [B8, E7, 75, 06, 00, 50, C3, ...] {MOV EAX, 0x675e7; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!CallNextHookEx 7778ABE1 11 Bytes [B8, E2, 77, 06, 00, 50, C3, ...] {MOV EAX, 0x677e2; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!SendMessageA 7778AD60 6 Bytes JMP 6FA51D70 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!PostMessageA 7778B446 6 Bytes JMP 6FA51EF0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!PostThreadMessageW + 80 7778EF7C 11 Bytes [B8, 61, 5D, 06, 00, 50, C3, ...] {MOV EAX, 0x65d61; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!GetMessageA 77791899 8 Bytes [B8, 45, 1D, 06, 00, 50, C3, ...] {MOV EAX, 0x61d45; PUSH EAX; RET ; NOP } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!PeekMessageA 777919A5 7 Bytes [B8, D5, 1D, 06, 00, 50, C3] {MOV EAX, 0x61dd5; PUSH EAX; RET } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!PtInRect + B2 77792444 8 Bytes [B8, 96, 5B, 06, 00, 50, C3, ...] {MOV EAX, 0x65b96; PUSH EAX; RET ; NOP } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!GetKeyState 77792B4D 11 Bytes [B8, 94, 76, 06, 00, 50, C3, ...] {MOV EAX, 0x67694; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!SetWindowLongW 77794449 7 Bytes [B8, DD, 18, 06, 00, 50, C3] {MOV EAX, 0x618dd; PUSH EAX; RET } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!PostMessageW 7779447B 6 Bytes JMP 6FA51FB0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!SendMessageW 77795539 6 Bytes JMP 6FA51E30 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!PeekMessageW 7779634A 7 Bytes [B8, 20, 1E, 06, 00, 50, C3] {MOV EAX, 0x61e20; PUSH EAX; RET } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!GetMessageW 7779CDE8 8 Bytes [B8, 8D, 1D, 06, 00, 50, C3, ...] {MOV EAX, 0x61d8d; PUSH EAX; RET ; NOP } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!mouse_event 777A6209 6 Bytes JMP 6FA51C40 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!GetMessagePos + 66 777B6769 8 Bytes [B8, 44, 73, 06, 00, 50, C3, ...] {MOV EAX, 0x67344; PUSH EAX; RET ; NOP } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!GetKeyboardState + 1 777B6947 3 Bytes [41, 77, 06] {INC ECX; JA 0x9} .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!GetKeyboardState + 5 777B694B 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!SendInput 777B7019 3 Bytes [FF, 25, 1E] .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!SendInput + 4 777B701D 2 Bytes [98, 71] .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!DdeConnectList + 64F 777CF4C0 8 Bytes [B8, E4, 58, 06, 00, 50, C3, ...] {MOV EAX, 0x658e4; PUSH EAX; RET ; NOP } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!EndTask 777CFD66 8 Bytes [B8, 4F, 19, 06, 00, 50, C3, ...] {MOV EAX, 0x6194f; PUSH EAX; RET ; NOP } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!GetRawInputBuffer 777D7190 8 Bytes [B8, 7A, 56, 06, 00, 50, C3, ...] {MOV EAX, 0x6567a; PUSH EAX; RET ; NOP } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!keybd_event 777DEC3B 6 Bytes JMP 6FA51CA0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!GetRawInputData + 1 777E4C22 3 Bytes [DD, 55, 06] {FST QWORD [EBP+0x6]} .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] USER32.dll!GetRawInputData + 5 777E4C26 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ADVAPI32.dll!CreateServiceW 7795714C 6 Bytes JMP 6FA521E0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ADVAPI32.dll!CreateServiceA 779733F4 6 Bytes JMP 6FA52100 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] WS2_32.dll!WSALookupServiceBeginW 7785575A 6 Bytes JMP 6FA51A10 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] WS2_32.dll!connect 77856BDD 6 Bytes JMP 6FA51860 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] WS2_32.dll!listen 7785B001 6 Bytes JMP 6FA51900 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] WS2_32.dll!WSAConnect 7785CC3F 6 Bytes JMP 6FA518B0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ole32.dll!CoGetClassObject 76FF54AD 10 Bytes [B8, D7, 69, 06, 00, 50, C3, ...] {MOV EAX, 0x669d7; PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ole32.dll!CoCreateInstance 77009D0B 8 Bytes [B8, 53, 86, 06, 00, 50, C3, ...] {MOV EAX, 0x68653; PUSH EAX; RET ; NOP } .text C:\Program Files\cFosSpeed\cfosspeed.exe[1756] ole32.dll!CoCreateInstanceEx 77009D4E 9 Bytes [B8, B1, 69, 06, 00, 50, C3, ...] {MOV EAX, 0x669b1; PUSH EAX; RET ; NOP ; NOP } .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtCreateFile 77A256B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtCreateFile + 4 77A256B4 2 Bytes [2B, 71] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtDeleteValueKey 77A25930 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtDeleteValueKey + 4 77A25934 2 Bytes [2E, 71] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtOpenFile 77A25DC0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtOpenFile + 4 77A25DC4 2 Bytes [28, 71] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtOpenProcess 77A25E70 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtOpenProcess + 4 77A25E74 2 Bytes [22, 71] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtSetContextThread 77A26650 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtSetContextThread + 4 77A26654 2 Bytes [1F, 71] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtSetInformationFile 77A26720 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtSetInformationFile + 4 77A26724 2 Bytes [25, 71] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtSetValueKey 77A268F0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtSetValueKey + 4 77A268F4 2 Bytes [31, 71] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtSuspendThread 77A26980 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtSuspendThread + 4 77A26984 2 Bytes [19, 71] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtTerminateThread 77A269C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtTerminateThread + 4 77A269C4 2 Bytes [1C, 71] {SBB AL, 0x71} .text C:\Windows\system32\Dwm.exe[1812] KERNEL32.dll!TerminateProcess 76AC2D15 6 Bytes JMP 6FA52FC0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\system32\Dwm.exe[1812] KERNEL32.dll!CreateProcessInternalW 76AD08A2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1812] KERNEL32.dll!CreateProcessInternalW + 4 76AD08A6 2 Bytes [16, 71] .text C:\Windows\system32\Dwm.exe[1812] USER32.dll!SendMessageA 7778AD60 6 Bytes JMP 6FA51D70 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\system32\Dwm.exe[1812] USER32.dll!PostMessageA 7778B446 6 Bytes JMP 6FA51EF0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\system32\Dwm.exe[1812] USER32.dll!PostMessageW 7779447B 6 Bytes JMP 6FA51FB0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\system32\Dwm.exe[1812] USER32.dll!SendMessageW 77795539 6 Bytes JMP 6FA51E30 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\system32\Dwm.exe[1812] USER32.dll!mouse_event 777A6209 6 Bytes JMP 6FA51C40 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\system32\Dwm.exe[1812] USER32.dll!SendInput 777B7019 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1812] USER32.dll!SendInput + 4 777B701D 2 Bytes [46, 71] .text C:\Windows\system32\Dwm.exe[1812] USER32.dll!keybd_event 777DEC3B 6 Bytes JMP 6FA51CA0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\system32\Dwm.exe[1812] ADVAPI32.dll!CreateServiceW 7795714C 6 Bytes JMP 6FA521E0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\system32\Dwm.exe[1812] ADVAPI32.dll!CreateServiceA 779733F4 6 Bytes JMP 6FA52100 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!RtlFreeActivationContextStack + 44 77A0F5F6 7 Bytes JMP 033F0A40 C:\Program Files\Emsisoft Anti-Malware\a2framework.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtCreateFile 77A256B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtCreateFile + 4 77A256B4 2 Bytes [83, 71] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtDeleteValueKey 77A25930 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtDeleteValueKey + 4 77A25934 2 Bytes [86, 71] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtOpenFile 77A25DC0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtOpenFile + 4 77A25DC4 2 Bytes [80, 71] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtOpenProcess 77A25E70 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtOpenProcess + 4 77A25E74 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtSetContextThread 77A26650 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtSetContextThread + 4 77A26654 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtSetInformationFile 77A26720 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtSetInformationFile + 4 77A26724 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtSetValueKey 77A268F0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtSetValueKey + 4 77A268F4 2 Bytes [89, 71] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtSuspendThread 77A26980 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtSuspendThread + 4 77A26984 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtTerminateThread 77A269C0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!NtTerminateThread + 4 77A269C4 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!LdrUnloadDll 77A3CBCE 7 Bytes [B8, B3, 75, 16, 00, 50, C3] {MOV EAX, 0x1675b3; PUSH EAX; RET } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ntdll.dll!LdrLoadDll 77A42576 7 Bytes [B8, 05, 83, 16, 00, 50, C3] {MOV EAX, 0x168305; PUSH EAX; RET } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] KERNEL32.dll!TerminateProcess 76AC2D15 6 Bytes JMP 6FA52FC0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] KERNEL32.dll!GetSystemInfo + B 76ACDDBD 7 Bytes JMP 033F082C C:\Program Files\Emsisoft Anti-Malware\a2framework.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] KERNEL32.dll!GetSystemTime + B 76ACEB5C 7 Bytes JMP 0338C0A8 C:\Program Files\Emsisoft Anti-Malware\a2framework.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] KERNEL32.dll!CreateProcessInternalW 76AD08A2 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] KERNEL32.dll!CreateProcessInternalW + 4 76AD08A6 2 Bytes [6E, 71] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ole32.dll!CoGetClassObject 76FF54AD 10 Bytes [B8, D7, 69, 16, 00, 50, C3, ...] {MOV EAX, 0x1669d7; PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ole32.dll!CoCreateInstance 77009D0B 8 Bytes [B8, 53, 86, 16, 00, 50, C3, ...] {MOV EAX, 0x168653; PUSH EAX; RET ; NOP } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] ole32.dll!CoCreateInstanceEx 77009D4E 9 Bytes [B8, B1, 69, 16, 00, 50, C3, ...] {MOV EAX, 0x1669b1; PUSH EAX; RET ; NOP ; NOP } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!SetWindowLongA 77788BA3 7 Bytes [B8, B7, 18, 16, 00, 50, C3] {MOV EAX, 0x1618b7; PUSH EAX; RET } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!GetAsyncKeyState 7778A256 11 Bytes [B8, E7, 75, 16, 00, 50, C3, ...] {MOV EAX, 0x1675e7; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!CallNextHookEx 7778ABE1 11 Bytes [B8, E2, 77, 16, 00, 50, C3, ...] {MOV EAX, 0x1677e2; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!SendMessageA 7778AD60 6 Bytes JMP 6FA51D70 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!PostMessageA 7778B446 6 Bytes JMP 6FA51EF0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!PostThreadMessageW + 80 7778EF7C 11 Bytes [B8, 61, 5D, 16, 00, 50, C3, ...] {MOV EAX, 0x165d61; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!GetMessageA 77791899 8 Bytes [B8, 45, 1D, 16, 00, 50, C3, ...] {MOV EAX, 0x161d45; PUSH EAX; RET ; NOP } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!PeekMessageA 777919A5 7 Bytes [B8, D5, 1D, 16, 00, 50, C3] {MOV EAX, 0x161dd5; PUSH EAX; RET } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!PtInRect + B2 77792444 8 Bytes [B8, 96, 5B, 16, 00, 50, C3, ...] {MOV EAX, 0x165b96; PUSH EAX; RET ; NOP } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!GetKeyState 77792B4D 11 Bytes [B8, 94, 76, 16, 00, 50, C3, ...] {MOV EAX, 0x167694; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!SetWindowLongW 77794449 7 Bytes [B8, DD, 18, 16, 00, 50, C3] {MOV EAX, 0x1618dd; PUSH EAX; RET } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!PostMessageW 7779447B 6 Bytes JMP 6FA51FB0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!SendMessageW 77795539 6 Bytes JMP 6FA51E30 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!PeekMessageW 7779634A 7 Bytes [B8, 20, 1E, 16, 00, 50, C3] {MOV EAX, 0x161e20; PUSH EAX; RET } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!GetMessageW 7779CDE8 8 Bytes [B8, 8D, 1D, 16, 00, 50, C3, ...] {MOV EAX, 0x161d8d; PUSH EAX; RET ; NOP } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!mouse_event 777A6209 6 Bytes JMP 6FA51C40 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!GetMessagePos + 66 777B6769 8 Bytes [B8, 44, 73, 16, 00, 50, C3, ...] {MOV EAX, 0x167344; PUSH EAX; RET ; NOP } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!GetKeyboardState + 1 777B6947 3 Bytes [41, 77, 16] {INC ECX; JA 0x19} .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!GetKeyboardState + 5 777B694B 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!SendInput 777B7019 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!SendInput + 4 777B701D 2 Bytes [9E, 71] .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!DdeConnectList + 64F 777CF4C0 8 Bytes [B8, E4, 58, 16, 00, 50, C3, ...] {MOV EAX, 0x1658e4; PUSH EAX; RET ; NOP } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!EndTask 777CFD66 8 Bytes [B8, 4F, 19, 16, 00, 50, C3, ...] {MOV EAX, 0x16194f; PUSH EAX; RET ; NOP } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!GetRawInputBuffer 777D7190 8 Bytes [B8, 7A, 56, 16, 00, 50, C3, ...] {MOV EAX, 0x16567a; PUSH EAX; RET ; NOP } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!keybd_event 777DEC3B 6 Bytes JMP 6FA51CA0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!GetRawInputData + 1 777E4C22 3 Bytes [DD, 55, 16] {FST QWORD [EBP+0x16]} .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] USER32.dll!GetRawInputData + 5 777E4C26 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] advapi32.dll!CreateServiceW 7795714C 6 Bytes JMP 6FA521E0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2guard.exe[1820] advapi32.dll!CreateServiceA 779733F4 6 Bytes JMP 6FA52100 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtCreateFile 77A256B0 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtCreateFile + 4 77A256B4 2 Bytes [80, 71] .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtDeleteValueKey 77A25930 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtDeleteValueKey + 4 77A25934 2 Bytes [83, 71] .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtOpenFile 77A25DC0 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtOpenFile + 4 77A25DC4 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtOpenProcess 77A25E70 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtOpenProcess + 4 77A25E74 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtSetContextThread 77A26650 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtSetContextThread + 4 77A26654 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtSetInformationFile 77A26720 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtSetInformationFile + 4 77A26724 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtSetValueKey 77A268F0 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtSetValueKey + 4 77A268F4 2 Bytes [86, 71] .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtSuspendThread 77A26980 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtSuspendThread + 4 77A26984 2 Bytes [6E, 71] .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtTerminateThread 77A269C0 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1840] ntdll.dll!NtTerminateThread + 4 77A269C4 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\Explorer.EXE[1840] ntdll.dll!LdrUnloadDll 77A3CBCE 7 Bytes [B8, B3, 75, 06, 00, 50, C3] {MOV EAX, 0x675b3; PUSH EAX; RET } .text C:\Windows\Explorer.EXE[1840] ntdll.dll!LdrLoadDll 77A42576 7 Bytes [B8, 05, 83, 06, 00, 50, C3] {MOV EAX, 0x68305; PUSH EAX; RET } .text C:\Windows\Explorer.EXE[1840] KERNEL32.dll!TerminateProcess 76AC2D15 6 Bytes JMP 6FA52FC0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\Explorer.EXE[1840] KERNEL32.dll!CreateProcessInternalW 76AD08A2 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1840] KERNEL32.dll!CreateProcessInternalW + 4 76AD08A6 2 Bytes [6B, 71] .text C:\Windows\Explorer.EXE[1840] ADVAPI32.dll!CreateServiceW 7795714C 6 Bytes JMP 6FA521E0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\Explorer.EXE[1840] ADVAPI32.dll!CreateServiceA 779733F4 6 Bytes JMP 6FA52100 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\Explorer.EXE[1840] USER32.dll!SetWindowLongA 77788BA3 7 Bytes [B8, B7, 18, 06, 00, 50, C3] {MOV EAX, 0x618b7; PUSH EAX; RET } .text C:\Windows\Explorer.EXE[1840] USER32.dll!GetAsyncKeyState 7778A256 11 Bytes [B8, E7, 75, 06, 00, 50, C3, ...] {MOV EAX, 0x675e7; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Windows\Explorer.EXE[1840] USER32.dll!CallNextHookEx 7778ABE1 11 Bytes [B8, E2, 77, 06, 00, 50, C3, ...] {MOV EAX, 0x677e2; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Windows\Explorer.EXE[1840] USER32.dll!SendMessageA 7778AD60 6 Bytes JMP 6FA51D70 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\Explorer.EXE[1840] USER32.dll!PostMessageA 7778B446 6 Bytes JMP 6FA51EF0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\Explorer.EXE[1840] USER32.dll!PostThreadMessageW + 80 7778EF7C 11 Bytes [B8, 61, 5D, 06, 00, 50, C3, ...] {MOV EAX, 0x65d61; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Windows\Explorer.EXE[1840] USER32.dll!GetMessageA 77791899 8 Bytes [B8, 45, 1D, 06, 00, 50, C3, ...] {MOV EAX, 0x61d45; PUSH EAX; RET ; NOP } .text C:\Windows\Explorer.EXE[1840] USER32.dll!PeekMessageA 777919A5 7 Bytes [B8, D5, 1D, 06, 00, 50, C3] {MOV EAX, 0x61dd5; PUSH EAX; RET } .text C:\Windows\Explorer.EXE[1840] USER32.dll!PtInRect + B2 77792444 8 Bytes [B8, 96, 5B, 06, 00, 50, C3, ...] {MOV EAX, 0x65b96; PUSH EAX; RET ; NOP } .text C:\Windows\Explorer.EXE[1840] USER32.dll!GetKeyState 77792B4D 11 Bytes [B8, 94, 76, 06, 00, 50, C3, ...] {MOV EAX, 0x67694; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Windows\Explorer.EXE[1840] USER32.dll!SetWindowLongW 77794449 7 Bytes [B8, DD, 18, 06, 00, 50, C3] {MOV EAX, 0x618dd; PUSH EAX; RET } .text C:\Windows\Explorer.EXE[1840] USER32.dll!PostMessageW 7779447B 6 Bytes JMP 6FA51FB0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\Explorer.EXE[1840] USER32.dll!SendMessageW 77795539 6 Bytes JMP 6FA51E30 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\Explorer.EXE[1840] USER32.dll!PeekMessageW 7779634A 7 Bytes [B8, 20, 1E, 06, 00, 50, C3] {MOV EAX, 0x61e20; PUSH EAX; RET } .text C:\Windows\Explorer.EXE[1840] USER32.dll!GetMessageW 7779CDE8 8 Bytes [B8, 8D, 1D, 06, 00, 50, C3, ...] {MOV EAX, 0x61d8d; PUSH EAX; RET ; NOP } .text C:\Windows\Explorer.EXE[1840] USER32.dll!mouse_event 777A6209 6 Bytes JMP 6FA51C40 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\Explorer.EXE[1840] USER32.dll!GetMessagePos + 66 777B6769 8 Bytes [B8, 44, 73, 06, 00, 50, C3, ...] {MOV EAX, 0x67344; PUSH EAX; RET ; NOP } .text C:\Windows\Explorer.EXE[1840] USER32.dll!GetKeyboardState + 1 777B6947 3 Bytes [41, 77, 06] {INC ECX; JA 0x9} .text C:\Windows\Explorer.EXE[1840] USER32.dll!GetKeyboardState + 5 777B694B 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Windows\Explorer.EXE[1840] USER32.dll!SendInput 777B7019 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1840] USER32.dll!SendInput + 4 777B701D 2 Bytes [9B, 71] .text C:\Windows\Explorer.EXE[1840] USER32.dll!DdeConnectList + 64F 777CF4C0 8 Bytes [B8, E4, 58, 06, 00, 50, C3, ...] {MOV EAX, 0x658e4; PUSH EAX; RET ; NOP } .text C:\Windows\Explorer.EXE[1840] USER32.dll!EndTask 777CFD66 8 Bytes [B8, 4F, 19, 06, 00, 50, C3, ...] {MOV EAX, 0x6194f; PUSH EAX; RET ; NOP } .text C:\Windows\Explorer.EXE[1840] USER32.dll!GetRawInputBuffer 777D7190 8 Bytes [B8, 7A, 56, 06, 00, 50, C3, ...] {MOV EAX, 0x6567a; PUSH EAX; RET ; NOP } .text C:\Windows\Explorer.EXE[1840] USER32.dll!keybd_event 777DEC3B 6 Bytes JMP 6FA51CA0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\Explorer.EXE[1840] USER32.dll!GetRawInputData + 1 777E4C22 3 Bytes [DD, 55, 06] {FST QWORD [EBP+0x6]} .text C:\Windows\Explorer.EXE[1840] USER32.dll!GetRawInputData + 5 777E4C26 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Windows\Explorer.EXE[1840] ole32.dll!CoGetClassObject 76FF54AD 10 Bytes [B8, D7, 69, 06, 00, 50, C3, ...] {MOV EAX, 0x669d7; PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Windows\Explorer.EXE[1840] ole32.dll!CoCreateInstance 77009D0B 8 Bytes [B8, 53, 86, 06, 00, 50, C3, ...] {MOV EAX, 0x68653; PUSH EAX; RET ; NOP } .text C:\Windows\Explorer.EXE[1840] ole32.dll!CoCreateInstanceEx 77009D4E 9 Bytes [B8, B1, 69, 06, 00, 50, C3, ...] {MOV EAX, 0x669b1; PUSH EAX; RET ; NOP ; NOP } .text C:\Windows\Explorer.EXE[1840] WS2_32.dll!WSALookupServiceBeginW 7785575A 6 Bytes JMP 6FA51A10 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\Explorer.EXE[1840] WS2_32.dll!connect 77856BDD 6 Bytes JMP 6FA51860 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\Explorer.EXE[1840] WS2_32.dll!listen 7785B001 6 Bytes JMP 6FA51900 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\Explorer.EXE[1840] WS2_32.dll!WSAConnect 7785CC3F 6 Bytes JMP 6FA518B0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\HitmanPro\hmpsched.exe[1952] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\HitmanPro\hmpsched.exe[1952] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\HitmanPro\hmpsched.exe[1952] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] ntdll.dll!LdrUnloadDll 77A3CBCE 7 Bytes [B8, B3, 75, 06, 00, 50, C3] {MOV EAX, 0x675b3; PUSH EAX; RET } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] ntdll.dll!LdrLoadDll 77A42576 7 Bytes [B8, 05, 83, 06, 00, 50, C3] {MOV EAX, 0x68305; PUSH EAX; RET } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] ole32.dll!CoGetClassObject 76FF54AD 10 Bytes [B8, D7, 69, 06, 00, 50, C3, ...] {MOV EAX, 0x669d7; PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] ole32.dll!CoCreateInstance 77009D0B 8 Bytes [B8, 53, 86, 06, 00, 50, C3, ...] {MOV EAX, 0x68653; PUSH EAX; RET ; NOP } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] ole32.dll!CoCreateInstanceEx 77009D4E 9 Bytes [B8, B1, 69, 06, 00, 50, C3, ...] {MOV EAX, 0x669b1; PUSH EAX; RET ; NOP ; NOP } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!SetWindowLongA 77788BA3 7 Bytes [B8, B7, 18, 06, 00, 50, C3] {MOV EAX, 0x618b7; PUSH EAX; RET } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!GetAsyncKeyState 7778A256 11 Bytes [B8, E7, 75, 06, 00, 50, C3, ...] {MOV EAX, 0x675e7; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!CallNextHookEx 7778ABE1 11 Bytes [B8, E2, 77, 06, 00, 50, C3, ...] {MOV EAX, 0x677e2; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!PostThreadMessageW + 80 7778EF7C 11 Bytes [B8, 61, 5D, 06, 00, 50, C3, ...] {MOV EAX, 0x65d61; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!GetMessageA 77791899 8 Bytes [B8, 45, 1D, 06, 00, 50, C3, ...] {MOV EAX, 0x61d45; PUSH EAX; RET ; NOP } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!PeekMessageA 777919A5 7 Bytes [B8, D5, 1D, 06, 00, 50, C3] {MOV EAX, 0x61dd5; PUSH EAX; RET } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!PtInRect + B2 77792444 8 Bytes [B8, 96, 5B, 06, 00, 50, C3, ...] {MOV EAX, 0x65b96; PUSH EAX; RET ; NOP } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!GetKeyState 77792B4D 11 Bytes [B8, 94, 76, 06, 00, 50, C3, ...] {MOV EAX, 0x67694; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!SetWindowLongW 77794449 7 Bytes [B8, DD, 18, 06, 00, 50, C3] {MOV EAX, 0x618dd; PUSH EAX; RET } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!PeekMessageW 7779634A 7 Bytes [B8, 20, 1E, 06, 00, 50, C3] {MOV EAX, 0x61e20; PUSH EAX; RET } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!GetMessageW 7779CDE8 8 Bytes [B8, 8D, 1D, 06, 00, 50, C3, ...] {MOV EAX, 0x61d8d; PUSH EAX; RET ; NOP } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!GetMessagePos + 66 777B6769 8 Bytes [B8, 44, 73, 06, 00, 50, C3, ...] {MOV EAX, 0x67344; PUSH EAX; RET ; NOP } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!GetKeyboardState + 1 777B6947 3 Bytes [41, 77, 06] {INC ECX; JA 0x9} .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!GetKeyboardState + 5 777B694B 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!DdeConnectList + 64F 777CF4C0 8 Bytes [B8, E4, 58, 06, 00, 50, C3, ...] {MOV EAX, 0x658e4; PUSH EAX; RET ; NOP } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!EndTask 777CFD66 8 Bytes [B8, 4F, 19, 06, 00, 50, C3, ...] {MOV EAX, 0x6194f; PUSH EAX; RET ; NOP } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!GetRawInputBuffer 777D7190 8 Bytes [B8, 7A, 56, 06, 00, 50, C3, ...] {MOV EAX, 0x6567a; PUSH EAX; RET ; NOP } .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!GetRawInputData + 1 777E4C22 3 Bytes [DD, 55, 06] {FST QWORD [EBP+0x6]} .text C:\Program Files\SpyShelter Free Anti-keylogger\SpyShelter.exe[2012] USER32.dll!GetRawInputData + 5 777E4C26 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtCreateFile 77A256B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtCreateFile + 4 77A256B4 2 Bytes [89, 71] .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtDeleteValueKey 77A25930 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtDeleteValueKey + 4 77A25934 2 Bytes [8C, 71] .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtOpenFile 77A25DC0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtOpenFile + 4 77A25DC4 2 Bytes [86, 71] .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtOpenProcess 77A25E70 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtOpenProcess + 4 77A25E74 2 Bytes [80, 71] .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtSetContextThread 77A26650 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtSetContextThread + 4 77A26654 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtSetInformationFile 77A26720 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtSetInformationFile + 4 77A26724 2 Bytes [83, 71] .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtSetValueKey 77A268F0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtSetValueKey + 4 77A268F4 2 Bytes [8F, 71] .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtSuspendThread 77A26980 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtSuspendThread + 4 77A26984 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtTerminateThread 77A269C0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtTerminateThread + 4 77A269C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!LdrUnloadDll 77A3CBCE 7 Bytes [B8, B3, 75, 05, 00, 50, C3] {MOV EAX, 0x575b3; PUSH EAX; RET } .text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!LdrLoadDll 77A42576 7 Bytes [B8, 05, 83, 05, 00, 50, C3] {MOV EAX, 0x58305; PUSH EAX; RET } .text C:\Windows\system32\taskhost.exe[2060] KERNEL32.dll!TerminateProcess 76AC2D15 6 Bytes JMP 6FA52FC0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\system32\taskhost.exe[2060] KERNEL32.dll!CreateProcessInternalW 76AD08A2 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2060] KERNEL32.dll!CreateProcessInternalW + 4 76AD08A6 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\taskhost.exe[2060] ole32.dll!CoGetClassObject 76FF54AD 10 Bytes [B8, D7, 69, 05, 00, 50, C3, ...] {MOV EAX, 0x569d7; PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Windows\system32\taskhost.exe[2060] ole32.dll!CoCreateInstance 77009D0B 8 Bytes [B8, 53, 86, 05, 00, 50, C3, ...] {MOV EAX, 0x58653; PUSH EAX; RET ; NOP } .text C:\Windows\system32\taskhost.exe[2060] ole32.dll!CoCreateInstanceEx 77009D4E 9 Bytes [B8, B1, 69, 05, 00, 50, C3, ...] {MOV EAX, 0x569b1; PUSH EAX; RET ; NOP ; NOP } .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!SetWindowLongA 77788BA3 7 Bytes [B8, B7, 18, 05, 00, 50, C3] {MOV EAX, 0x518b7; PUSH EAX; RET } .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!GetAsyncKeyState 7778A256 11 Bytes [B8, E7, 75, 05, 00, 50, C3, ...] {MOV EAX, 0x575e7; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!CallNextHookEx 7778ABE1 11 Bytes [B8, E2, 77, 05, 00, 50, C3, ...] {MOV EAX, 0x577e2; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!SendMessageA 7778AD60 6 Bytes JMP 6FA51D70 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!PostMessageA 7778B446 6 Bytes JMP 6FA51EF0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!PostThreadMessageW + 80 7778EF7C 11 Bytes [B8, 61, 5D, 05, 00, 50, C3, ...] {MOV EAX, 0x55d61; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!GetMessageA 77791899 8 Bytes [B8, 45, 1D, 05, 00, 50, C3, ...] {MOV EAX, 0x51d45; PUSH EAX; RET ; NOP } .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!PeekMessageA 777919A5 7 Bytes [B8, D5, 1D, 05, 00, 50, C3] {MOV EAX, 0x51dd5; PUSH EAX; RET } .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!PtInRect + B2 77792444 8 Bytes [B8, 96, 5B, 05, 00, 50, C3, ...] {MOV EAX, 0x55b96; PUSH EAX; RET ; NOP } .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!GetKeyState 77792B4D 11 Bytes [B8, 94, 76, 05, 00, 50, C3, ...] {MOV EAX, 0x57694; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!SetWindowLongW 77794449 7 Bytes [B8, DD, 18, 05, 00, 50, C3] {MOV EAX, 0x518dd; PUSH EAX; RET } .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!PostMessageW 7779447B 6 Bytes JMP 6FA51FB0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!SendMessageW 77795539 6 Bytes JMP 6FA51E30 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!PeekMessageW 7779634A 7 Bytes [B8, 20, 1E, 05, 00, 50, C3] {MOV EAX, 0x51e20; PUSH EAX; RET } .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!GetMessageW 7779CDE8 8 Bytes [B8, 8D, 1D, 05, 00, 50, C3, ...] {MOV EAX, 0x51d8d; PUSH EAX; RET ; NOP } .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!mouse_event 777A6209 6 Bytes JMP 6FA51C40 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!GetMessagePos + 66 777B6769 8 Bytes [B8, 44, 73, 05, 00, 50, C3, ...] {MOV EAX, 0x57344; PUSH EAX; RET ; NOP } .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!GetKeyboardState + 1 777B6947 3 Bytes [41, 77, 05] {INC ECX; JA 0x8} .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!GetKeyboardState + 5 777B694B 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!SendInput 777B7019 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!SendInput + 4 777B701D 2 Bytes [A4, 71] .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!DdeConnectList + 64F 777CF4C0 8 Bytes [B8, E4, 58, 05, 00, 50, C3, ...] {MOV EAX, 0x558e4; PUSH EAX; RET ; NOP } .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!EndTask 777CFD66 8 Bytes [B8, 4F, 19, 05, 00, 50, C3, ...] {MOV EAX, 0x5194f; PUSH EAX; RET ; NOP } .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!GetRawInputBuffer 777D7190 8 Bytes [B8, 7A, 56, 05, 00, 50, C3, ...] {MOV EAX, 0x5567a; PUSH EAX; RET ; NOP } .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!keybd_event 777DEC3B 6 Bytes JMP 6FA51CA0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!GetRawInputData + 1 777E4C22 3 Bytes [DD, 55, 05] {FST QWORD [EBP+0x5]} .text C:\Windows\system32\taskhost.exe[2060] USER32.dll!GetRawInputData + 5 777E4C26 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Windows\system32\taskhost.exe[2060] ADVAPI32.dll!CreateServiceW 7795714C 6 Bytes JMP 6FA521E0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Windows\system32\taskhost.exe[2060] ADVAPI32.dll!CreateServiceA 779733F4 6 Bytes JMP 6FA52100 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtCreateFile 77A256B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtCreateFile + 4 77A256B4 2 Bytes [89, 71] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtDeleteValueKey 77A25930 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtDeleteValueKey + 4 77A25934 2 Bytes [8C, 71] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtOpenFile 77A25DC0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtOpenFile + 4 77A25DC4 2 Bytes [86, 71] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtOpenProcess 77A25E70 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtOpenProcess + 4 77A25E74 2 Bytes [80, 71] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtSetContextThread 77A26650 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtSetContextThread + 4 77A26654 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtSetInformationFile 77A26720 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtSetInformationFile + 4 77A26724 2 Bytes [83, 71] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtSetValueKey 77A268F0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtSetValueKey + 4 77A268F4 2 Bytes [8F, 71] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtSuspendThread 77A26980 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtSuspendThread + 4 77A26984 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtTerminateThread 77A269C0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!NtTerminateThread + 4 77A269C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!LdrUnloadDll 77A3CBCE 7 Bytes [B8, B3, 75, 06, 00, 50, C3] {MOV EAX, 0x675b3; PUSH EAX; RET } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ntdll.dll!LdrLoadDll 77A42576 7 Bytes [B8, 05, 83, 06, 00, 50, C3] {MOV EAX, 0x68305; PUSH EAX; RET } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] KERNEL32.dll!TerminateProcess 76AC2D15 6 Bytes JMP 6FA52FC0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] KERNEL32.dll!CreateProcessInternalW 76AD08A2 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] KERNEL32.dll!CreateProcessInternalW + 4 76AD08A6 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ADVAPI32.dll!CreateServiceW 7795714C 6 Bytes JMP 6FA521E0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ADVAPI32.dll!CreateServiceA 779733F4 6 Bytes JMP 6FA52100 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!SetWindowLongA 77788BA3 7 Bytes [B8, B7, 18, 06, 00, 50, C3] {MOV EAX, 0x618b7; PUSH EAX; RET } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!GetAsyncKeyState 7778A256 11 Bytes [B8, E7, 75, 06, 00, 50, C3, ...] {MOV EAX, 0x675e7; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!CallNextHookEx 7778ABE1 11 Bytes [B8, E2, 77, 06, 00, 50, C3, ...] {MOV EAX, 0x677e2; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!SendMessageA 7778AD60 6 Bytes JMP 6FA51D70 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!PostMessageA 7778B446 6 Bytes JMP 6FA51EF0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!PostThreadMessageW + 80 7778EF7C 11 Bytes [B8, 61, 5D, 06, 00, 50, C3, ...] {MOV EAX, 0x65d61; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!GetMessageA 77791899 8 Bytes [B8, 45, 1D, 06, 00, 50, C3, ...] {MOV EAX, 0x61d45; PUSH EAX; RET ; NOP } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!PeekMessageA 777919A5 7 Bytes [B8, D5, 1D, 06, 00, 50, C3] {MOV EAX, 0x61dd5; PUSH EAX; RET } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!PtInRect + B2 77792444 8 Bytes [B8, 96, 5B, 06, 00, 50, C3, ...] {MOV EAX, 0x65b96; PUSH EAX; RET ; NOP } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!GetKeyState 77792B4D 11 Bytes [B8, 94, 76, 06, 00, 50, C3, ...] {MOV EAX, 0x67694; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!SetWindowLongW 77794449 7 Bytes [B8, DD, 18, 06, 00, 50, C3] {MOV EAX, 0x618dd; PUSH EAX; RET } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!PostMessageW 7779447B 6 Bytes JMP 6FA51FB0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!SendMessageW 77795539 6 Bytes JMP 6FA51E30 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!PeekMessageW 7779634A 7 Bytes [B8, 20, 1E, 06, 00, 50, C3] {MOV EAX, 0x61e20; PUSH EAX; RET } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!GetMessageW 7779CDE8 8 Bytes [B8, 8D, 1D, 06, 00, 50, C3, ...] {MOV EAX, 0x61d8d; PUSH EAX; RET ; NOP } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!mouse_event 777A6209 6 Bytes JMP 6FA51C40 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!GetMessagePos + 66 777B6769 8 Bytes [B8, 44, 73, 06, 00, 50, C3, ...] {MOV EAX, 0x67344; PUSH EAX; RET ; NOP } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!GetKeyboardState + 1 777B6947 3 Bytes [41, 77, 06] {INC ECX; JA 0x9} .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!GetKeyboardState + 5 777B694B 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!SendInput 777B7019 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!SendInput + 4 777B701D 2 Bytes [A4, 71] .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!DdeConnectList + 64F 777CF4C0 8 Bytes [B8, E4, 58, 06, 00, 50, C3, ...] {MOV EAX, 0x658e4; PUSH EAX; RET ; NOP } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!EndTask 777CFD66 8 Bytes [B8, 4F, 19, 06, 00, 50, C3, ...] {MOV EAX, 0x6194f; PUSH EAX; RET ; NOP } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!GetRawInputBuffer 777D7190 8 Bytes [B8, 7A, 56, 06, 00, 50, C3, ...] {MOV EAX, 0x6567a; PUSH EAX; RET ; NOP } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!keybd_event 777DEC3B 6 Bytes JMP 6FA51CA0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!GetRawInputData + 1 777E4C22 3 Bytes [DD, 55, 06] {FST QWORD [EBP+0x6]} .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] USER32.dll!GetRawInputData + 5 777E4C26 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ole32.dll!CoGetClassObject 76FF54AD 10 Bytes [B8, D7, 69, 06, 00, 50, C3, ...] {MOV EAX, 0x669d7; PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ole32.dll!CoCreateInstance 77009D0B 8 Bytes [B8, 53, 86, 06, 00, 50, C3, ...] {MOV EAX, 0x68653; PUSH EAX; RET ; NOP } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ole32.dll!CoCreateInstanceEx 77009D4E 9 Bytes [B8, B1, 69, 06, 00, 50, C3, ...] {MOV EAX, 0x669b1; PUSH EAX; RET ; NOP ; NOP } .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ws2_32.dll!WSALookupServiceBeginW 7785575A 6 Bytes JMP 6FA51A10 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ws2_32.dll!connect 77856BDD 6 Bytes JMP 6FA51860 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ws2_32.dll!listen 7785B001 6 Bytes JMP 6FA51900 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Windows Firewall Control\wfc.exe[2076] ws2_32.dll!WSAConnect 7785CC3F 6 Bytes JMP 6FA518B0 C:\Program Files\Emsisoft Anti-Malware\a2hooks32.dll .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2400] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Sandboxie\SbieSvc.exe[2432] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Sandboxie\SbieSvc.exe[2432] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Sandboxie\SbieSvc.exe[2432] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[2480] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[2480] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\AMD\ATI.ACE\Fuel\Fuel.Service.exe[2480] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtCreateFile 77A256B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtCreateFile + 4 77A256B4 2 Bytes [89, 71] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtDeleteValueKey 77A25930 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtDeleteValueKey + 4 77A25934 2 Bytes [8C, 71] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtOpenFile 77A25DC0 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtOpenFile + 4 77A25DC4 2 Bytes [86, 71] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtOpenProcess 77A25E70 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtOpenProcess + 4 77A25E74 2 Bytes [80, 71] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtSetContextThread 77A26650 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtSetContextThread + 4 77A26654 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtSetInformationFile 77A26720 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtSetInformationFile + 4 77A26724 2 Bytes [83, 71] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtSetValueKey 77A268F0 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtSetValueKey + 4 77A268F4 2 Bytes [8F, 71] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtSuspendThread 77A26980 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtSuspendThread + 4 77A26984 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtTerminateThread 77A269C0 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!NtTerminateThread + 4 77A269C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!LdrUnloadDll 77A3CBCE 7 Bytes [B8, B3, 75, 06, 00, 50, C3] {MOV EAX, 0x675b3; PUSH EAX; RET } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ntdll.dll!LdrLoadDll 77A42576 7 Bytes [B8, 05, 83, 06, 00, 50, C3] {MOV EAX, 0x68305; PUSH EAX; RET } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] KERNEL32.dll!TerminateProcess 76AC2D15 6 Bytes JMP 6FA52FC0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] KERNEL32.dll!CreateProcessInternalW 76AD08A2 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] KERNEL32.dll!CreateProcessInternalW + 4 76AD08A6 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!SetWindowLongA 77788BA3 7 Bytes [B8, B7, 18, 06, 00, 50, C3] {MOV EAX, 0x618b7; PUSH EAX; RET } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!GetAsyncKeyState 7778A256 11 Bytes [B8, E7, 75, 06, 00, 50, C3, ...] {MOV EAX, 0x675e7; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!CallNextHookEx 7778ABE1 11 Bytes [B8, E2, 77, 06, 00, 50, C3, ...] {MOV EAX, 0x677e2; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!SendMessageA 7778AD60 6 Bytes JMP 6FA51D70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!PostMessageA 7778B446 6 Bytes JMP 6FA51EF0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!PostThreadMessageW + 80 7778EF7C 11 Bytes [B8, 61, 5D, 06, 00, 50, C3, ...] {MOV EAX, 0x65d61; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!GetMessageA 77791899 8 Bytes [B8, 45, 1D, 06, 00, 50, C3, ...] {MOV EAX, 0x61d45; PUSH EAX; RET ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!PeekMessageA 777919A5 7 Bytes [B8, D5, 1D, 06, 00, 50, C3] {MOV EAX, 0x61dd5; PUSH EAX; RET } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!PtInRect + B2 77792444 8 Bytes [B8, 96, 5B, 06, 00, 50, C3, ...] {MOV EAX, 0x65b96; PUSH EAX; RET ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!GetKeyState 77792B4D 11 Bytes [B8, 94, 76, 06, 00, 50, C3, ...] {MOV EAX, 0x67694; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!SetWindowLongW 77794449 7 Bytes [B8, DD, 18, 06, 00, 50, C3] {MOV EAX, 0x618dd; PUSH EAX; RET } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!PostMessageW 7779447B 6 Bytes JMP 6FA51FB0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!SendMessageW 77795539 6 Bytes JMP 6FA51E30 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!PeekMessageW 7779634A 7 Bytes [B8, 20, 1E, 06, 00, 50, C3] {MOV EAX, 0x61e20; PUSH EAX; RET } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!GetMessageW 7779CDE8 8 Bytes [B8, 8D, 1D, 06, 00, 50, C3, ...] {MOV EAX, 0x61d8d; PUSH EAX; RET ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!mouse_event 777A6209 6 Bytes JMP 6FA51C40 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!GetMessagePos + 66 777B6769 8 Bytes [B8, 44, 73, 06, 00, 50, C3, ...] {MOV EAX, 0x67344; PUSH EAX; RET ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!GetKeyboardState + 1 777B6947 3 Bytes [41, 77, 06] {INC ECX; JA 0x9} .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!GetKeyboardState + 5 777B694B 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!SendInput 777B7019 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!SendInput + 4 777B701D 2 Bytes [A4, 71] .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!DdeConnectList + 64F 777CF4C0 8 Bytes [B8, E4, 58, 06, 00, 50, C3, ...] {MOV EAX, 0x658e4; PUSH EAX; RET ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!EndTask 777CFD66 8 Bytes [B8, 4F, 19, 06, 00, 50, C3, ...] {MOV EAX, 0x6194f; PUSH EAX; RET ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!GetRawInputBuffer 777D7190 8 Bytes [B8, 7A, 56, 06, 00, 50, C3, ...] {MOV EAX, 0x6567a; PUSH EAX; RET ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!keybd_event 777DEC3B 6 Bytes JMP 6FA51CA0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!GetRawInputData + 1 777E4C22 3 Bytes [DD, 55, 06] {FST QWORD [EBP+0x6]} .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] USER32.dll!GetRawInputData + 5 777E4C26 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ADVAPI32.dll!CreateServiceW 7795714C 6 Bytes JMP 6FA521E0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ADVAPI32.dll!CreateServiceA 779733F4 6 Bytes JMP 6FA52100 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ole32.dll!CoGetClassObject 76FF54AD 10 Bytes [B8, D7, 69, 06, 00, 50, C3, ...] {MOV EAX, 0x669d7; PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ole32.dll!CoCreateInstance 77009D0B 8 Bytes [B8, 53, 86, 06, 00, 50, C3, ...] {MOV EAX, 0x68653; PUSH EAX; RET ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ole32.dll!CoCreateInstanceEx 77009D4E 9 Bytes [B8, B1, 69, 06, 00, 50, C3, ...] {MOV EAX, 0x669b1; PUSH EAX; RET ; NOP ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ws2_32.dll!WSALookupServiceBeginW 7785575A 6 Bytes JMP 6FA51A10 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ws2_32.dll!connect 77856BDD 6 Bytes JMP 6FA51860 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ws2_32.dll!listen 7785B001 6 Bytes JMP 6FA51900 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\MOM.exe[2532] ws2_32.dll!WSAConnect 7785CC3F 6 Bytes JMP 6FA518B0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\cFosSpeed\spd.exe[2620] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\cFosSpeed\spd.exe[2620] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\cFosSpeed\spd.exe[2620] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[2756] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[2756] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\System32\svchost.exe[2756] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[2884] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[2884] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Windows\system32\svchost.exe[2884] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\HWDeviceService.exe[3184] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\HWDeviceService.exe[3184] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\HWDeviceService.exe[3184] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtCreateFile 77A256B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtCreateFile + 4 77A256B4 2 Bytes [89, 71] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtDeleteValueKey 77A25930 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtDeleteValueKey + 4 77A25934 2 Bytes [8C, 71] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtOpenFile 77A25DC0 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtOpenFile + 4 77A25DC4 2 Bytes [86, 71] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtOpenProcess 77A25E70 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtOpenProcess + 4 77A25E74 2 Bytes [80, 71] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtSetContextThread 77A26650 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtSetContextThread + 4 77A26654 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtSetInformationFile 77A26720 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtSetInformationFile + 4 77A26724 2 Bytes [83, 71] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtSetValueKey 77A268F0 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtSetValueKey + 4 77A268F4 2 Bytes [8F, 71] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtSuspendThread 77A26980 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtSuspendThread + 4 77A26984 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtTerminateThread 77A269C0 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!NtTerminateThread + 4 77A269C4 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!LdrUnloadDll 77A3CBCE 7 Bytes [B8, B3, 75, 06, 00, 50, C3] {MOV EAX, 0x675b3; PUSH EAX; RET } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ntdll.dll!LdrLoadDll 77A42576 7 Bytes [B8, 05, 83, 06, 00, 50, C3] {MOV EAX, 0x68305; PUSH EAX; RET } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] KERNEL32.dll!TerminateProcess 76AC2D15 6 Bytes JMP 6FA52FC0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] KERNEL32.dll!CreateProcessInternalW 76AD08A2 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] KERNEL32.dll!CreateProcessInternalW + 4 76AD08A6 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!SetWindowLongA 77788BA3 7 Bytes [B8, B7, 18, 06, 00, 50, C3] {MOV EAX, 0x618b7; PUSH EAX; RET } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!GetAsyncKeyState 7778A256 11 Bytes [B8, E7, 75, 06, 00, 50, C3, ...] {MOV EAX, 0x675e7; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!CallNextHookEx 7778ABE1 11 Bytes [B8, E2, 77, 06, 00, 50, C3, ...] {MOV EAX, 0x677e2; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!SendMessageA 7778AD60 6 Bytes JMP 6FA51D70 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!PostMessageA 7778B446 6 Bytes JMP 6FA51EF0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!PostThreadMessageW + 80 7778EF7C 11 Bytes [B8, 61, 5D, 06, 00, 50, C3, ...] {MOV EAX, 0x65d61; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!GetMessageA 77791899 8 Bytes [B8, 45, 1D, 06, 00, 50, C3, ...] {MOV EAX, 0x61d45; PUSH EAX; RET ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!PeekMessageA 777919A5 7 Bytes [B8, D5, 1D, 06, 00, 50, C3] {MOV EAX, 0x61dd5; PUSH EAX; RET } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!PtInRect + B2 77792444 8 Bytes [B8, 96, 5B, 06, 00, 50, C3, ...] {MOV EAX, 0x65b96; PUSH EAX; RET ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!GetKeyState 77792B4D 11 Bytes [B8, 94, 76, 06, 00, 50, C3, ...] {MOV EAX, 0x67694; PUSH EAX; RET ; NOP ; NOP ; NOP ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!SetWindowLongW 77794449 7 Bytes [B8, DD, 18, 06, 00, 50, C3] {MOV EAX, 0x618dd; PUSH EAX; RET } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!PostMessageW 7779447B 6 Bytes JMP 6FA51FB0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!SendMessageW 77795539 6 Bytes JMP 6FA51E30 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!PeekMessageW 7779634A 7 Bytes [B8, 20, 1E, 06, 00, 50, C3] {MOV EAX, 0x61e20; PUSH EAX; RET } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!GetMessageW 7779CDE8 8 Bytes [B8, 8D, 1D, 06, 00, 50, C3, ...] {MOV EAX, 0x61d8d; PUSH EAX; RET ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!mouse_event 777A6209 6 Bytes JMP 6FA51C40 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!GetMessagePos + 66 777B6769 8 Bytes [B8, 44, 73, 06, 00, 50, C3, ...] {MOV EAX, 0x67344; PUSH EAX; RET ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!GetKeyboardState + 1 777B6947 3 Bytes [41, 77, 06] {INC ECX; JA 0x9} .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!GetKeyboardState + 5 777B694B 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!SendInput 777B7019 3 Bytes [FF, 25, 1E] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!SendInput + 4 777B701D 2 Bytes [A4, 71] .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!DdeConnectList + 64F 777CF4C0 8 Bytes [B8, E4, 58, 06, 00, 50, C3, ...] {MOV EAX, 0x658e4; PUSH EAX; RET ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!EndTask 777CFD66 8 Bytes [B8, 4F, 19, 06, 00, 50, C3, ...] {MOV EAX, 0x6194f; PUSH EAX; RET ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!GetRawInputBuffer 777D7190 8 Bytes [B8, 7A, 56, 06, 00, 50, C3, ...] {MOV EAX, 0x6567a; PUSH EAX; RET ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!keybd_event 777DEC3B 6 Bytes JMP 6FA51CA0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!GetRawInputData + 1 777E4C22 3 Bytes [DD, 55, 06] {FST QWORD [EBP+0x6]} .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] USER32.dll!GetRawInputData + 5 777E4C26 5 Bytes [50, C3, 90, 90, 90] {PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ADVAPI32.dll!CreateServiceW 7795714C 6 Bytes JMP 6FA521E0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ADVAPI32.dll!CreateServiceA 779733F4 6 Bytes JMP 6FA52100 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ole32.dll!CoGetClassObject 76FF54AD 10 Bytes [B8, D7, 69, 06, 00, 50, C3, ...] {MOV EAX, 0x669d7; PUSH EAX; RET ; NOP ; NOP ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ole32.dll!CoCreateInstance 77009D0B 8 Bytes [B8, 53, 86, 06, 00, 50, C3, ...] {MOV EAX, 0x68653; PUSH EAX; RET ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ole32.dll!CoCreateInstanceEx 77009D4E 9 Bytes [B8, B1, 69, 06, 00, 50, C3, ...] {MOV EAX, 0x669b1; PUSH EAX; RET ; NOP ; NOP } .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ws2_32.dll!WSALookupServiceBeginW 7785575A 6 Bytes JMP 6FA51A10 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ws2_32.dll!connect 77856BDD 6 Bytes JMP 6FA51860 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ws2_32.dll!listen 7785B001 6 Bytes JMP 6FA51900 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\AMD\ATI.ACE\Core-Static\CCC.exe[3248] ws2_32.dll!WSAConnect 7785CC3F 6 Bytes JMP 6FA518B0 C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2hooks32.dll .text C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe[3328] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe[3328] ntdll.dll!NtFreeVirtualMemory 77A25AC0 5 Bytes JMP 74EF8EA0 C:\Windows\system32\hmpalert.dll .text C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe[3328] ntdll.dll!NtProtectVirtualMemory 77A26000 5 Bytes JMP 74EF8D80 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[3356] ntdll.dll!NtAllocateVirtualMemory 77A253C0 5 Bytes JMP 74EF8CF0 C:\Windows\system32\hmpalert.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[3356] ntdll.dll!NtCreateFile 77A256B0 3 Bytes [FF, 25, 1E] .text C:\ProgramData\DatacardService\DCSHelper.exe[3356] ntdll.dll!NtCreateFile + 4 77A256B4 2 Bytes [83, 71]