GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-16 22:38:26 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK1637GSX rev.DL030M 149,05GB Running: i18xlscf.exe; Driver: C:\Users\lilith\AppData\Local\Temp\uxldrpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x8E4439FE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x8E443BF2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0x8E442CAE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0x8E44362C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSection [0x8E4433BE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x8E4447B2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread [0x8E442658] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThreadEx [0x8E443E3C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0x8E4441B8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x8E442F92] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0x8E443824] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0x8E443246] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0x8E4444B8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x8E442EFC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0x8E443132] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateProcess [0x8E442A8E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread [0x8E44285C] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 83479A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 834B3212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 834BA46C 4 Bytes [FE, 39, 44, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 834BA494 4 Bytes [F2, 3B, 44, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 834BA528 4 Bytes [AE, 2C, 44, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 11AF 834BA544 4 Bytes [2C, 36, 44, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 834BA58C 4 Bytes [BE, 33, 44, 8E] .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F832000, 0x1E7294, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[200] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[200] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[200] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[200] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[200] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[200] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[200] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[200] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[200] user32.DLL!SetWindowsHookExW 76B9E30C 6 Bytes JMP 717E000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[200] user32.DLL!SetWinEventHook 76BA24DC 6 Bytes JMP 717B000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[200] user32.DLL!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[200] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[200] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[200] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[200] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[200] advapi32.DLL!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[200] advapi32.DLL!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\system32\Dwm.exe[384] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[384] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\Dwm.exe[384] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[384] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\Dwm.exe[384] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\Dwm.exe[384] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\Dwm.exe[384] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\Dwm.exe[384] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\Dwm.exe[384] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\Dwm.exe[384] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\Dwm.exe[384] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\Dwm.exe[384] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\Dwm.exe[384] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\Dwm.exe[384] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\Dwm.exe[384] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\Dwm.exe[384] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\Dwm.exe[384] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\system32\csrss.exe[476] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 5 Bytes JMP 74E32270 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[476] ntdll.dll!NtReplyWaitReceivePort 76E96458 5 Bytes JMP 74E31970 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[476] ntdll.dll!NtReplyWaitReceivePortEx 76E96468 5 Bytes JMP 74E31DF0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[556] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 5 Bytes JMP 74E32270 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[556] ntdll.dll!NtReplyWaitReceivePort 76E96458 5 Bytes JMP 74E31970 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[556] ntdll.dll!NtReplyWaitReceivePortEx 76E96468 5 Bytes JMP 74E31DF0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\services.exe[604] services.exe 00CF1608 4 Bytes [40, 5A, 01, 10] {INC EAX; POP EDX; ADD [EAX], EDX} .text C:\Windows\system32\services.exe[604] services.exe 00CF1618 4 Bytes [20, 5E, 01, 10] .text C:\Windows\system32\services.exe[604] services.exe 00CF1638 4 Bytes [A0, 57, 01, 10] .text C:\Windows\system32\services.exe[604] services.exe 00CF1648 4 Bytes [40, 5C, 01, 10] {INC EAX; POP ESP; ADD [EAX], EDX} .text C:\Windows\system32\services.exe[604] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[604] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\services.exe[604] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[604] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\services.exe[604] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\services.exe[604] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\services.exe[604] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\services.exe[604] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\services.exe[604] RPCRT4.dll!RpcServerRegisterIfEx 76760898 6 Bytes JMP 7190000A .text C:\Windows\system32\services.exe[604] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 717B000A .text C:\Windows\system32\services.exe[604] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 7178000A .text C:\Windows\system32\services.exe[604] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 717E000A .text C:\Windows\system32\services.exe[604] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\services.exe[604] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\services.exe[604] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\services.exe[604] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\services.exe[604] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\services.exe[604] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\system32\lsass.exe[652] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[652] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsass.exe[652] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[652] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\lsass.exe[652] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsass.exe[652] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\lsass.exe[652] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\lsass.exe[652] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\lsass.exe[652] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\lsass.exe[652] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\lsass.exe[652] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\lsass.exe[652] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\lsass.exe[652] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\lsass.exe[652] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\lsass.exe[652] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\system32\lsm.exe[664] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[664] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsm.exe[664] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[664] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\lsm.exe[664] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsm.exe[664] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\lsm.exe[664] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\lsm.exe[664] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\lsm.exe[664] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\lsm.exe[664] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\lsm.exe[664] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\lsm.exe[664] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\lsm.exe[664] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\lsm.exe[664] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\lsm.exe[664] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\lsm.exe[664] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\lsm.exe[664] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[736] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[736] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\Explorer.EXE[736] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[736] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\Explorer.EXE[736] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\Explorer.EXE[736] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\Explorer.EXE[736] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\Explorer.EXE[736] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\Explorer.EXE[736] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\Explorer.EXE[736] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[736] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\Explorer.EXE[736] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\Explorer.EXE[736] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\Explorer.EXE[736] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\Explorer.EXE[736] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 717E000A .text C:\Windows\Explorer.EXE[736] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717B000A .text C:\Windows\Explorer.EXE[736] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [89, 71] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtCreateFile + 6 76E9560E 4 Bytes [28, 28, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtCreateFile + B 76E95613 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtCreateKey + 6 76E9564E 4 Bytes [68, 29, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtCreateKey + B 76E95653 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtCreateMutant + 6 76E9568E 4 Bytes [68, 2A, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtCreateMutant + B 76E95693 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtCreateSection + 6 76E9572E 4 Bytes [A8, 2A, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtCreateSection + B 76E95733 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtMapViewOfSection + 6 76E95C6E 4 Bytes CALL 75E9739F C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtMapViewOfSection + B 76E95C73 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenFile + 6 76E95D1E 4 Bytes [68, 28, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenFile + B 76E95D23 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenKey + 6 76E95D4E 4 Bytes [A8, 29, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenKey + B 76E95D53 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenKeyEx + 6 76E95D5E 4 Bytes CALL 75E9748C C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenKeyEx + B 76E95D63 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenMutant + 6 76E95D9E 4 Bytes [28, 2A, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenMutant + B 76E95DA3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenProcess + 6 76E95DCE 4 Bytes [68, 2B, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenProcess + B 76E95DD3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenProcessToken + 6 76E95DDE 4 Bytes [A8, 2B, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenProcessToken + B 76E95DE3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenProcessTokenEx + 6 76E95DEE 4 Bytes [68, 2C, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenProcessTokenEx + B 76E95DF3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenSection + 6 76E95E0E 4 Bytes CALL 75E9753D C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenSection + B 76E95E13 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenThread + 6 76E95E4E 4 Bytes [28, 2B, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenThread + B 76E95E53 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenThreadToken + 6 76E95E5E 4 Bytes [28, 2C, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenThreadToken + B 76E95E63 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenThreadTokenEx + 6 76E95E6E 4 Bytes [A8, 2C, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtOpenThreadTokenEx + B 76E95E73 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtQueryAttributesFile + 6 76E95F7E 4 Bytes [A8, 28, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtQueryAttributesFile + B 76E95F83 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtQueryFullAttributesFile + 6 76E9602E 4 Bytes CALL 75E9775B C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtQueryFullAttributesFile + B 76E96033 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtSetInformationFile + 6 76E9667E 4 Bytes [28, 29, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtSetInformationFile + B 76E96683 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtSetInformationThread + 6 76E966DE 4 Bytes CALL 75E97E0E C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtSetInformationThread + B 76E966E3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtUnmapViewOfSection + 6 76E969FE 4 Bytes [28, 2D, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!NtUnmapViewOfSection + B 76E96A03 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] kernel32.dll!CreateProcessW 767F204D 5 Bytes JMP 00180030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] kernel32.dll!CreateProcessA 767F2082 5 Bytes JMP 00180070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7199000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!ActivateKeyboardLayout 76B98203 5 Bytes JMP 002304F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!ScreenToClient 76B9A506 7 Bytes JMP 00230670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!RegisterClipboardFormatA 76B9C091 5 Bytes JMP 002302F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!RegisterClipboardFormatW 76B9DF8D 5 Bytes JMP 002302B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7190000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!SetWinEventHook 76BA24DC 6 Bytes JMP 718D000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!SetCursor 76BA3075 5 Bytes JMP 00230530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!MonitorFromWindow 76BA3622 7 Bytes JMP 00230630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!PostMessageW 76BA447B 5 Bytes JMP 002305F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!IsWindowVisible 76BA4D69 7 Bytes JMP 002306B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!GetClientRect 76BA54DD 7 Bytes JMP 002305B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!MapWindowPoints 76BA5CAA 5 Bytes JMP 00230570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!GetParent 76BA6029 7 Bytes JMP 002306F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!EmptyClipboard 76BB290C 5 Bytes JMP 00230130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!SetClipboardData 76BB2962 5 Bytes JMP 00230170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!GetClipboardData 76BB2BA7 5 Bytes JMP 00230030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!GetClipboardFormatNameW 76BB5FD2 5 Bytes JMP 00230230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!SetClipboardViewer 76BB6FF6 5 Bytes JMP 002304B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!GetClipboardFormatNameA 76BB700A 5 Bytes JMP 00230270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!ChangeClipboardChain 76BC147C 5 Bytes JMP 00230430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!GetTopWindow 76BC24D9 7 Bytes JMP 00230730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!CloseClipboard 76BC446C 5 Bytes JMP 002300B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!OpenClipboard 76BC447E 5 Bytes JMP 00230070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!IsClipboardFormatAvailable 76BC44FF 5 Bytes JMP 002300F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!GetClipboardSequenceNumber 76BC4513 5 Bytes JMP 00230330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!GetClipboardOwner 76BC4525 5 Bytes JMP 00230370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!CountClipboardFormats 76BC470A 5 Bytes JMP 002301F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!EnumClipboardFormats 76BC47EC 5 Bytes JMP 002301B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!GetOpenClipboardWindow 76BC480B 5 Bytes JMP 002303F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7193000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!SetCursorPos 76BDC1B0 5 Bytes JMP 00230770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!GetClipboardViewer 76BF4AF7 5 Bytes JMP 00230470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] user32.DLL!GetPriorityClipboardFormat 76BF4BF9 5 Bytes JMP 002303B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!DeleteObject 76A15F14 5 Bytes JMP 002401B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!SelectObject 76A16640 5 Bytes JMP 002405F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!SetTextColor 76A16906 5 Bytes JMP 00240A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!SetBkMode 76A169B1 5 Bytes JMP 002408F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!DeleteDC 76A16EAA 5 Bytes JMP 00240170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!GetDeviceCaps 76A16F7F 5 Bytes JMP 002403B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!ExtSelectClipRgn 76A17114 5 Bytes JMP 002402F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!SelectClipRgn 76A17242 5 Bytes JMP 002405B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!SetStretchBltMode 76A17705 5 Bytes JMP 002406B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!GetCurrentObject 76A17917 5 Bytes JMP 00240370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!GetTextMetricsW 76A17B8F 5 Bytes JMP 00240E30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!GetTextAlign 76A17DAF 5 Bytes JMP 00240D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!IntersectClipRect 76A17DFE 5 Bytes JMP 002403F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!ExtTextOutW 76A18192 5 Bytes JMP 00240970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!SetTextAlign 76A1828E 5 Bytes JMP 002409F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!GetClipBox 76A18525 5 Bytes JMP 00240330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!MoveToEx 76A18C21 5 Bytes JMP 00240470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!StretchDIBits 76A1A53E 5 Bytes JMP 00240770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!RestoreDC 76A1A67B 5 Bytes JMP 00240530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!SaveDC 76A1A74B 5 Bytes JMP 00240570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!GetTextExtentPoint32W 76A1B4B5 5 Bytes JMP 00240670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!GetTextFaceW 76A1B73A 2 Bytes JMP 00240D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!GetTextFaceW + 3 76A1B73D 2 Bytes [82, 89] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!GetFontData 76A1BCC4 5 Bytes JMP 00240C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 7196000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!SetWorldTransform 76A1C90A 5 Bytes JMP 002406F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!CreateDCA 76A1CCA9 5 Bytes JMP 002400B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!CreateDCW 76A1CF79 5 Bytes JMP 002400F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!CreateICW 76A1CFD0 5 Bytes JMP 00240130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!GetTextMetricsA 76A1D0F2 5 Bytes JMP 00240DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!Rectangle 76A1F1E7 5 Bytes JMP 002409B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!LineTo 76A1F583 5 Bytes JMP 00240430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!SetICMMode 76A1FA8C 5 Bytes JMP 00240DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!ExtTextOutA 76A20D08 5 Bytes JMP 00240930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!GetTextExtentPoint32A 76A21167 5 Bytes JMP 00240630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!ExtEscape 76A22D31 5 Bytes JMP 002402B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!Escape 76A233E8 5 Bytes JMP 00240270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!ResetDCW 76A23A83 5 Bytes JMP 00240AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!EndPage 76A240C2 5 Bytes JMP 00240230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!SetPolyFillMode 76A267C9 5 Bytes JMP 00240B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!SetMiterLimit 76A26985 5 Bytes JMP 00240B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!GetTextFaceA 76A30D12 5 Bytes JMP 00240CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!GetGlyphOutlineW 76A3C32A 5 Bytes JMP 00240CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!CreateScalableFontResourceW 76A3E987 5 Bytes JMP 00240BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!AddFontResourceW 76A3ED83 5 Bytes JMP 00240BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!RemoveFontResourceW 76A3F279 5 Bytes JMP 00240C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!AbortDoc 76A44E79 5 Bytes JMP 00240030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!EndDoc 76A452C0 5 Bytes JMP 002401F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!StartPage 76A453AB 5 Bytes JMP 00240730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!StartDocW 76A45DC6 5 Bytes JMP 002407F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!BeginPath 76A4656D 5 Bytes JMP 00240830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!SelectClipPath 76A465C4 5 Bytes JMP 00240AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!CloseFigure 76A4661F 5 Bytes JMP 00240070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!EndPath 76A46676 5 Bytes JMP 00240A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!StrokePath 76A468A9 5 Bytes JMP 002407B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!FillPath 76A46936 5 Bytes JMP 00240870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!PolylineTo 76A46DA4 5 Bytes JMP 002404F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!PolyBezierTo 76A46E35 5 Bytes JMP 002404B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] GDI32.dll!PolyDraw 76A46EE7 5 Bytes JMP 002408B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] advapi32.DLL!CreateProcessAsUserA 76912642 6 Bytes JMP 719F000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] advapi32.DLL!CreateProcessWithLogonW 76915429 6 Bytes JMP 719C000A .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ole32.dll!OleSetClipboard 758D0045 5 Bytes JMP 00440030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ole32.dll!OleIsCurrentClipboard 758D36B2 5 Bytes JMP 00440070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_305.exe[784] ole32.dll!OleGetClipboard 758FFDCD 5 Bytes JMP 004400B0 .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[796] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[796] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[796] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[796] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[796] RPCRT4.dll!RpcServerRegisterIfEx 76760898 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[796] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[796] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[796] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[796] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[796] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[796] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[796] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[796] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[796] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[872] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[872] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[872] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[872] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[872] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[872] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[872] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[872] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[872] RPCRT4.dll!RpcServerRegisterIfEx 76760898 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[872] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[872] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[872] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[872] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[872] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[872] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[872] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[872] rpcss.dll!CoGetComCatalog 743835EC 8 Bytes [80, 4F, 01, 10, 40, 4D, 01, ...] {OR BYTE [EDI+0x1], 0x10; INC EAX; DEC EBP; ADD [EAX], EDX} .text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[936] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[936] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[936] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[936] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[936] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[936] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[936] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[936] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[936] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[936] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[936] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\system32\Ati2evxx.exe[996] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Ati2evxx.exe[996] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\Ati2evxx.exe[996] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Ati2evxx.exe[996] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\Ati2evxx.exe[996] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\Ati2evxx.exe[996] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\Ati2evxx.exe[996] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\Ati2evxx.exe[996] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\Ati2evxx.exe[996] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\Ati2evxx.exe[996] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\Ati2evxx.exe[996] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\Ati2evxx.exe[996] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\Ati2evxx.exe[996] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\Ati2evxx.exe[996] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\Ati2evxx.exe[996] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\Ati2evxx.exe[996] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\Ati2evxx.exe[996] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1028] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1028] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1028] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1028] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1028] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1028] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1028] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1028] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1028] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1028] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1028] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1028] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1028] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1028] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1028] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1028] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1028] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\system32\taskeng.exe[1076] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1076] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskeng.exe[1076] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1076] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\taskeng.exe[1076] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskeng.exe[1076] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\taskeng.exe[1076] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\taskeng.exe[1076] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\taskeng.exe[1076] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\taskeng.exe[1076] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\taskeng.exe[1076] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\taskeng.exe[1076] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\taskeng.exe[1076] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\taskeng.exe[1076] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\taskeng.exe[1076] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\taskeng.exe[1076] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\taskeng.exe[1076] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1080] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1080] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1080] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1080] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1080] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1080] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1080] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1080] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1080] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1080] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1080] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1104] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1104] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1104] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1104] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1104] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1104] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1104] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1104] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1104] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1104] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1104] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1104] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1104] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1104] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1148] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1148] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1148] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1148] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1148] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1148] RPCRT4.dll!RpcServerRegisterIfEx 76760898 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1148] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1148] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1148] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1148] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1148] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1148] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1148] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\system32\AUDIODG.EXE[1224] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[1224] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\AUDIODG.EXE[1224] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[1224] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\AUDIODG.EXE[1224] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\AUDIODG.EXE[1224] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719E001E .text C:\Windows\system32\AUDIODG.EXE[1224] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719B001E .text C:\Windows\system32\AUDIODG.EXE[1224] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7192001E .text C:\Windows\system32\AUDIODG.EXE[1224] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7180001E .text C:\Windows\system32\AUDIODG.EXE[1224] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717D001E .text C:\Windows\system32\AUDIODG.EXE[1224] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\AUDIODG.EXE[1224] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\AUDIODG.EXE[1224] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\AUDIODG.EXE[1224] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\AUDIODG.EXE[1224] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718C001E .text C:\Windows\system32\AUDIODG.EXE[1224] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7198001E .text C:\Windows\system32\AUDIODG.EXE[1224] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7195001E .text C:\Users\lilith\Desktop\i18xlscf.exe[1260] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Users\lilith\Desktop\i18xlscf.exe[1260] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Users\lilith\Desktop\i18xlscf.exe[1260] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Users\lilith\Desktop\i18xlscf.exe[1260] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Users\lilith\Desktop\i18xlscf.exe[1260] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Users\lilith\Desktop\i18xlscf.exe[1260] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Users\lilith\Desktop\i18xlscf.exe[1260] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Users\lilith\Desktop\i18xlscf.exe[1260] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Users\lilith\Desktop\i18xlscf.exe[1260] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Users\lilith\Desktop\i18xlscf.exe[1260] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Users\lilith\Desktop\i18xlscf.exe[1260] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Users\lilith\Desktop\i18xlscf.exe[1260] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Users\lilith\Desktop\i18xlscf.exe[1260] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Users\lilith\Desktop\i18xlscf.exe[1260] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Users\lilith\Desktop\i18xlscf.exe[1260] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Users\lilith\Desktop\i18xlscf.exe[1260] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Users\lilith\Desktop\i18xlscf.exe[1260] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\system32\Ati2evxx.exe[1400] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Ati2evxx.exe[1400] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\Ati2evxx.exe[1400] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Ati2evxx.exe[1400] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\Ati2evxx.exe[1400] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\Ati2evxx.exe[1400] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\Ati2evxx.exe[1400] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\Ati2evxx.exe[1400] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\Ati2evxx.exe[1400] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\Ati2evxx.exe[1400] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\Ati2evxx.exe[1400] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\Ati2evxx.exe[1400] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\Ati2evxx.exe[1400] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\Ati2evxx.exe[1400] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\Ati2evxx.exe[1400] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\Ati2evxx.exe[1400] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\Ati2evxx.exe[1400] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\System32\spoolsv.exe[1672] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1672] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\spoolsv.exe[1672] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1672] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\System32\spoolsv.exe[1672] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\spoolsv.exe[1672] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\System32\spoolsv.exe[1672] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\System32\spoolsv.exe[1672] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\System32\spoolsv.exe[1672] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Windows\System32\spoolsv.exe[1672] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Windows\System32\spoolsv.exe[1672] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\spoolsv.exe[1672] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\spoolsv.exe[1672] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\spoolsv.exe[1672] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\spoolsv.exe[1672] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\System32\spoolsv.exe[1672] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\System32\spoolsv.exe[1672] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1716] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1716] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1716] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1716] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1716] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1716] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1716] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1716] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1716] RPCRT4.dll!RpcServerRegisterIfEx 76760898 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1716] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1716] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1716] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1716] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1716] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1716] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1716] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1716] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1716] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1812] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1812] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1812] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1812] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1812] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1812] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1812] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1812] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1812] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1812] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1812] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1812] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1812] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1812] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1812] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1812] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe[1812] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1864] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1864] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1864] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1864] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1864] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1864] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1864] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1864] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1864] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1864] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1864] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1864] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1864] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1864] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1864] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1864] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1864] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1916] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1916] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1916] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1916] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1916] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1916] KERNEL32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1916] KERNEL32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1916] KERNEL32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1916] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1916] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1916] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1916] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1916] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1916] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1916] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1916] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe[1916] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\system32\taskhost.exe[2024] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2024] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskhost.exe[2024] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2024] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\taskhost.exe[2024] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskhost.exe[2024] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\taskhost.exe[2024] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\taskhost.exe[2024] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\taskhost.exe[2024] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\taskhost.exe[2024] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\taskhost.exe[2024] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\taskhost.exe[2024] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\taskhost.exe[2024] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\taskhost.exe[2024] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\taskhost.exe[2024] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\taskhost.exe[2024] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\taskhost.exe[2024] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\system32\PnkBstrA.exe[2108] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\PnkBstrA.exe[2108] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\PnkBstrA.exe[2108] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\PnkBstrA.exe[2108] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\PnkBstrA.exe[2108] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\PnkBstrA.exe[2108] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\PnkBstrA.exe[2108] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\PnkBstrA.exe[2108] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\PnkBstrA.exe[2108] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\PnkBstrA.exe[2108] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\PnkBstrA.exe[2108] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\PnkBstrA.exe[2108] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\PnkBstrA.exe[2108] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\PnkBstrA.exe[2108] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\PnkBstrA.exe[2108] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\PnkBstrA.exe[2108] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\PnkBstrA.exe[2108] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2136] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2136] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2136] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2136] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2136] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2136] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2136] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2136] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2136] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2136] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2136] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2136] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2136] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2136] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2136] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2136] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2136] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[2168] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2168] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[2168] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2168] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2168] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[2168] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[2168] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[2168] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[2168] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[2168] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[2168] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[2168] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[2168] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[2168] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[2168] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[2168] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[2168] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\system32\conhost.exe[2252] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[2252] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\conhost.exe[2252] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[2252] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\conhost.exe[2252] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\conhost.exe[2252] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\conhost.exe[2252] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\conhost.exe[2252] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\conhost.exe[2252] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\conhost.exe[2252] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\conhost.exe[2252] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\conhost.exe[2252] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\conhost.exe[2252] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\conhost.exe[2252] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\conhost.exe[2252] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\conhost.exe[2252] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\conhost.exe[2252] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2292] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2292] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2292] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2292] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2292] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2292] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2292] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2292] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2292] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2292] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2292] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2292] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2292] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2292] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2292] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2292] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Program Files\Browny02\Brother\BrStMonW.exe[2292] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2392] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2392] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2392] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2392] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2392] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2392] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2392] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2392] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2392] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2392] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2392] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2392] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2392] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2392] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2392] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2392] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[2392] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[2400] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[2400] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[2400] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[2400] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[2400] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[2400] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[2400] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[2400] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[2400] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[2400] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[2400] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[2400] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[2400] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[2400] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[2400] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[2400] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[2400] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\K2T\WTW\wtw.exe[2440] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Program Files\K2T\WTW\wtw.exe[2440] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\K2T\WTW\wtw.exe[2440] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Program Files\K2T\WTW\wtw.exe[2440] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Program Files\K2T\WTW\wtw.exe[2440] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\K2T\WTW\wtw.exe[2440] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Program Files\K2T\WTW\wtw.exe[2440] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Program Files\K2T\WTW\wtw.exe[2440] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Program Files\K2T\WTW\wtw.exe[2440] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Program Files\K2T\WTW\wtw.exe[2440] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\K2T\WTW\wtw.exe[2440] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 717B000A .text C:\Program Files\K2T\WTW\wtw.exe[2440] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 7178000A .text C:\Program Files\K2T\WTW\wtw.exe[2440] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 717E000A .text C:\Program Files\K2T\WTW\wtw.exe[2440] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7181000A .text C:\Program Files\K2T\WTW\wtw.exe[2440] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Program Files\K2T\WTW\wtw.exe[2440] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Program Files\K2T\WTW\wtw.exe[2440] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[2648] ntdll.dll!NtAllocateVirtualMemory 76E95318 5 Bytes JMP 01263760 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[2648] ntdll.dll!NtCreateFile 76E95608 5 Bytes JMP 012AD090 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2672] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2672] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2672] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2672] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2672] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2672] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2672] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2672] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2672] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2672] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2672] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2672] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2672] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2672] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2672] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2672] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[2672] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\Browny02\BrYNSvc.exe[2872] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Browny02\BrYNSvc.exe[2872] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Browny02\BrYNSvc.exe[2872] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Browny02\BrYNSvc.exe[2872] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Program Files\Browny02\BrYNSvc.exe[2872] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Browny02\BrYNSvc.exe[2872] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Program Files\Browny02\BrYNSvc.exe[2872] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Program Files\Browny02\BrYNSvc.exe[2872] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Program Files\Browny02\BrYNSvc.exe[2872] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Program Files\Browny02\BrYNSvc.exe[2872] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Program Files\Browny02\BrYNSvc.exe[2872] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Program Files\Browny02\BrYNSvc.exe[2872] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Program Files\Browny02\BrYNSvc.exe[2872] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Browny02\BrYNSvc.exe[2872] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Browny02\BrYNSvc.exe[2872] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Program Files\Browny02\BrYNSvc.exe[2872] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Program Files\Browny02\BrYNSvc.exe[2872] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] USER32.dll!RegisterMessagePumpHook + 2F1 76B98B9E 7 Bytes JMP 634C0102 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] USER32.dll!IsDialogMessageW + 340 76BA4444 7 Bytes JMP 634C0173 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] USER32.dll!GetWindowInfo 76BA4B5E 5 Bytes JMP 634C261E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] USER32.dll!ToUnicodeEx + 71 76BB2223 3 Bytes JMP 634BD8F6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] USER32.dll!ToUnicodeEx + 75 76BB2227 3 Bytes [EC, EB, F9] {IN AL, DX; JMP 0xfffffffc} .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2928] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[2932] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2932] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[2932] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2932] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2932] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[2932] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[2932] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[2932] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[2932] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[2932] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[2932] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[2932] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[2932] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[2932] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[2932] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2964] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2964] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2964] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2964] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2964] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2964] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2964] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2964] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2964] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2964] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2964] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2964] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2964] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2964] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2964] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2964] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2964] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtCreateFile 76E95608 5 Bytes JMP 631F9AE0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtFlushBuffersFile 76E95998 5 Bytes JMP 631DC434 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtQueryFullAttributesFile 76E96028 5 Bytes JMP 631DC150 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtReadFile 76E962F8 5 Bytes JMP 631DC330 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtReadFileScatter 76E96308 5 Bytes JMP 63BFF60F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtWriteFile 76E96AA8 5 Bytes JMP 631FA9F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtWriteFileGather 76E96AB8 5 Bytes JMP 63BFF5BE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ntdll.dll!LdrLoadDll 76EB22AE 5 Bytes JMP 67E71F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 768394E6 7 Bytes JMP 63B24AA0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] kernel32.dll!QueryPerformanceCounter + 13 7683C4E5 7 Bytes JMP 63B24AC3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] kernel32.dll!LoadAppInitDlls + 355 7683F5A6 7 Bytes JMP 631F63D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] USER32.dll!GetWindowInfo 76BA4B5E 5 Bytes JMP 63A1B991 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] GDI32.dll!GetViewportOrgEx + 26C 76A1884B 7 Bytes JMP 63B24A21 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3040] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3180] ntdll.dll!NtAllocateVirtualMemory 76E95318 5 Bytes JMP 01154FE0 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3216] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3216] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3216] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3216] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3216] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3216] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3216] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3216] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3216] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3216] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3216] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3216] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3216] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3216] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3216] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3216] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[3216] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3720] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3720] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3720] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3720] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3720] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3720] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3720] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3720] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3720] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3720] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3720] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3720] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3720] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3720] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3720] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3720] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[3720] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[3744] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[3744] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[3744] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[3744] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[3744] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[3744] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[3744] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[3744] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[3744] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[3744] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[3744] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[3744] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[3744] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[3744] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[3744] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[3744] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[3744] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3856] ntdll.dll!NtAlpcSendWaitReceivePort 76E95458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3856] ntdll.dll!NtAlpcSendWaitReceivePort + 4 76E9545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3856] ntdll.dll!NtClose 76E95508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3856] ntdll.dll!NtClose + 4 76E9550C 2 Bytes [AE, 71] .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3856] ntdll.dll!LdrUnloadDll 76EAC8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3856] kernel32.dll!CreateProcessW 767F204D 6 Bytes JMP 719F000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3856] kernel32.dll!CreateProcessA 767F2082 6 Bytes JMP 719C000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3856] kernel32.dll!CreateProcessAsUserW 76825ABF 6 Bytes JMP 7193000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3856] USER32.dll!SetWindowsHookExW 76B9E30C 6 Bytes JMP 7181000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3856] USER32.dll!SetWinEventHook 76BA24DC 6 Bytes JMP 717E000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3856] USER32.dll!SetWindowsHookExA 76BC6D0C 6 Bytes JMP 7184000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3856] GDI32.dll!DeleteDC 76A16EAA 6 Bytes JMP 7187000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3856] GDI32.dll!GetPixel 76A1C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3856] GDI32.dll!CreateDCA 76A1CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3856] GDI32.dll!CreateDCW 76A1CF79 6 Bytes JMP 718D000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3856] ADVAPI32.dll!CreateProcessAsUserA 76912642 6 Bytes JMP 7199000A .text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[3856] ADVAPI32.dll!CreateProcessWithLogonW 76915429 6 Bytes JMP 7196000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4088] ntdll.dll!NtAllocateVirtualMemory 76E95318 5 Bytes JMP 00A011F0 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4088] ntdll.dll!NtCreateFile 76E95608 5 Bytes JMP 00A01000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73B2249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73B05652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73B05710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73B2251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73B1857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73B14D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73B150D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73B151AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73B166DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73B182D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73B18824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73B19085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73B1E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73B14C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBF 0xC8 0x46 0x7F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xAA 0x5B 0x0E 0x88 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xBF 0xCC 0x42 0x1F ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBF 0xC8 0x46 0x7F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xAA 0x5B 0x0E 0x88 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xBF 0xCC 0x42 0x1F ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----