GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-12-01 22:34:15 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHX2250BT rev.0040000C Running: hfip3ntm.exe; Driver: C:\Users\remik\AppData\Local\Temp\kwddakob.sys ---- System - GMER 1.0.15 ---- SSDT 86932230 ZwAlpcConnectPort SSDT 869389C0 ZwLoadDriver SSDT \??\C:\Windows\system32\DRIVERS\PavProc.sys ZwTerminateProcess [0x9D5B373A] SSDT \??\C:\Windows\system32\PavSRK.sys ZwWriteVirtualMemory [0x9C4BBC30] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 83278349 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832B1D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 832B8DB4 4 Bytes [30, 22, 93, 86] .text ntkrnlpa.exe!KeRemoveQueueEx + 1313 832B8FC8 4 Bytes [C0, 89, 93, 86] .text ntkrnlpa.exe!KeRemoveQueueEx + 166F 832B9324 4 Bytes [3A, 37, 5B, 9D] {CMP DH, [EDI]; POP EBX; POPF } .text ntkrnlpa.exe!KeRemoveQueueEx + 16E3 832B9398 4 Bytes [30, BC, 4B, 9C] ? System32\Drivers\spfi.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9120E000, 0x23097E, 0xE8000020] .text USBPORT.SYS!DllUnload 90D9DCA0 5 Bytes JMP 86D574E0 .text anr5dktv.SYS 8F201000 12 Bytes [44, 88, 20, 83, EE, 86, 20, ...] {INC ESP; MOV [EAX], AH; SUB ESI, -0x7a; AND [EBX-0x7cdf9860], AL} .text anr5dktv.SYS 8F20100D 9 Bytes [67, 20, 83, 48, 8B, 20, 83, ...] .text anr5dktv.SYS 8F201017 170 Bytes [00, DE, F7, EF, 83, E6, F5, ...] .text anr5dktv.SYS 8F2010C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} .text anr5dktv.SYS 8F2010CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL} .text ... ? C:\Windows\system32\PavTPK.sys Nie można odnaleźć określonego pliku. ! ? C:\Windows\system32\PavSRK.sys Nie można odnaleźć określonego pliku. ! ? system32\drivers\av5flt.sys System nie może odnaleźć określonej ścieżki. ! .text kernel32.dll!CopyFileExW 7749B238 6 Bytes [FF, 25, 1E, 00, 3E, 5F] {JMP [0x5f3e001e]} .text kernel32.dll!CreateFileMappingW 774A120C 6 Bytes [FF, 25, 1E, 00, 41, 5F] {JMP [0x5f41001e]} .text kernel32.dll!TerminateProcess 774A2BBD 6 Bytes [FF, 25, 1E, 00, 32, 5F] {JMP [0x5f32001e]} .text kernel32.dll!MoveFileWithProgressW 774A8D8C 6 Bytes [FF, 25, 1E, 00, 47, 5F] {JMP [0x5f47001e]} .text kernel32.dll!MapViewOfFile 774A93DB 6 Bytes [FF, 25, 1E, 00, 3B, 5F] {JMP [0x5f3b001e]} .text kernel32.dll!CreateFileMappingA 774A9C0E 6 Bytes [FF, 25, 1E, 00, 38, 5F] {JMP [0x5f38001e]} .text kernel32.dll!MapViewOfFileEx 774AD7EC 6 Bytes [FF, 25, 1E, 00, 35, 5F] {JMP [0x5f35001e]} .text kernel32.dll!CreateRemoteThread 774EFAF3 6 Bytes [FF, 25, 1E, 00, 44, 5F] {JMP [0x5f44001e]} .text user32.dll!CreateAcceleratorTableW 77339794 3 Bytes [FF, 25, 1E] .text user32.dll!CreateAcceleratorTableW + 4 77339798 2 Bytes [B6, 5F] {MOV DH, 0x5f} .text user32.dll!GetAsyncKeyState 7733A256 6 Bytes [FF, 25, 1E, 00, 9E, 5F] {JMP [0x5f9e001e]} .text user32.dll!BeginDeferWindowPos 7733A6A6 6 Bytes [FF, 25, 1E, 00, 95, 5F] {JMP [0x5f95001e]} .text user32.dll!PostMessageA 7733B446 6 Bytes [FF, 25, 1E, 00, B0, 5F] {JMP [0x5fb0001e]} .text user32.dll!SetWindowsHookExW 7733E30C 6 Bytes [FF, 25, 1E, 00, B9, 5F] {JMP [0x5fb9001e]} .text user32.dll!SetWinEventHook 773424DC 6 Bytes [FF, 25, 1E, 00, B3, 5F] {JMP [0x5fb3001e]} .text user32.dll!GetKeyState 77342B4D 6 Bytes [FF, 25, 1E, 00, A7, 5F] {JMP [0x5fa7001e]} .text user32.dll!DispatchMessageA 77342E32 6 Bytes [FF, 25, 1E, 00, 98, 5F] {JMP [0x5f98001e]} .text user32.dll!PostMessageW 7734447B 6 Bytes [FF, 25, 1E, 00, AD, 5F] {JMP [0x5fad001e]} .text user32.dll!TranslateMessage 773464C7 6 Bytes [FF, 25, 1E, 00, 9B, 5F] {JMP [0x5f9b001e]} .text user32.dll!DispatchMessageW 7734CC61 6 Bytes [FF, 25, 1E, 00, BC, 5F] {JMP [0x5fbc001e]} .text user32.dll!SetClipboardData 77352962 6 Bytes [FF, 25, 1E, 00, BF, 5F] {JMP [0x5fbf001e]} .text user32.dll!GetKeyboardState 77366946 3 Bytes [FF, 25, 1E] .text user32.dll!GetKeyboardState + 4 7736694A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text user32.dll!AttachThreadInput 77366B54 3 Bytes [FF, 25, 1E] .text user32.dll!AttachThreadInput + 4 77366B58 2 Bytes [A1, 5F] .text user32.dll!SetWindowsHookExA 77366D0C 6 Bytes [FF, 25, 1E, 00, 92, 5F] {JMP [0x5f92001e]} .text user32.dll!DdeConnect 7737EB5B 6 Bytes [FF, 25, 1E, 00, AA, 5F] {JMP [0x5faa001e]} ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtClose 775854C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtClose + 4 775854CC 2 Bytes [6B, 5F] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtCreateFile 775855C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtCreateFile + 4 775855CC 2 Bytes [8C, 5F] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtCreateKey 77585608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtCreateKey + 4 7758560C 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtDeleteFile 77585808 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtDeleteFile + 4 7758580C 2 Bytes [8F, 5F] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtDeleteKey 77585818 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtDeleteKey + 4 7758581C 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtDeleteValueKey 77585848 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtDeleteValueKey + 4 7758584C 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtDuplicateObject 77585898 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtDuplicateObject + 4 7758589C 2 Bytes [77, 5F] {JA 0x61} .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtEnumerateKey 775858E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtEnumerateKey + 4 775858EC 2 Bytes [7A, 5F] {JP 0x61} .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtEnumerateValueKey 77585918 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtEnumerateValueKey + 4 7758591C 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtLoadDriver 77585B58 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtLoadDriver + 4 77585B5C 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtOpenFile 77585CD8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtOpenFile + 4 77585CDC 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtQueryMultipleValueKey 77586108 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtQueryMultipleValueKey + 4 7758610C 2 Bytes [80, 5F] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtQueryValueKey 77586248 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtQueryValueKey + 4 7758624C 2 Bytes [83, 5F] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtReadFile 775862B8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtReadFile + 4 775862BC 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtSetContextThread 77586568 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtSetContextThread + 4 7758656C 2 Bytes [A1, 5F] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtSetInformationFile 77586638 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtSetInformationFile + 4 7758663C 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtSetValueKey 77586808 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtSetValueKey + 4 7758680C 2 Bytes [86, 5F] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtUnloadKey 77586968 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtUnloadKey + 4 7758696C 2 Bytes [89, 5F] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtWriteFile 77586A68 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtWriteFile + 4 77586A6C 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtWriteVirtualMemory 77586A98 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ntdll.dll!NtWriteVirtualMemory + 4 77586A9C 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] kernel32.dll!CopyFileExW 7749B238 6 Bytes JMP 5F5E0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] kernel32.dll!CreateFileMappingW 774A120C 6 Bytes JMP 5F610F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] kernel32.dll!TerminateProcess 774A2BBD 6 Bytes JMP 5F520F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] kernel32.dll!MoveFileWithProgressW 774A8D8C 6 Bytes JMP 5F670F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] kernel32.dll!MapViewOfFile 774A93DB 6 Bytes JMP 5F5B0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] kernel32.dll!CreateFileMappingA 774A9C0E 6 Bytes JMP 5F580F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] kernel32.dll!MapViewOfFileEx 774AD7EC 6 Bytes JMP 5F550F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] kernel32.dll!CreateRemoteThread 774EFAF3 6 Bytes JMP 5F640F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ole32.dll!CLSIDFromProgIDEx 77170782 6 Bytes JMP 5FA60F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ole32.dll!CLSIDFromProgID 7718503C 6 Bytes JMP 5FA90F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ole32.dll!CoGetClassObject 771954AD 6 Bytes JMP 5FAC0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] ole32.dll!CoCreateInstanceEx 771A9D4E 6 Bytes JMP 5FAF0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!CreateAcceleratorTableW 77339794 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!CreateAcceleratorTableW + 4 77339798 2 Bytes [D7, 5F] {XLATB ; POP EDI} .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!GetAsyncKeyState 7733A256 6 Bytes JMP 5FBE0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!BeginDeferWindowPos 7733A6A6 6 Bytes JMP 5FB50F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!PostMessageA 7733B446 6 Bytes JMP 5FD00F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!SetWindowsHookExW 7733E30C 6 Bytes JMP 5FD90F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!SetWinEventHook 773424DC 6 Bytes JMP 5FD30F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!GetKeyState 77342B4D 6 Bytes JMP 5FC70F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!DispatchMessageA 77342E32 6 Bytes JMP 5FB80F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!PostMessageW 7734447B 6 Bytes JMP 5FCD0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!TranslateMessage 773464C7 6 Bytes JMP 5FBB0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!DispatchMessageW 7734CC61 6 Bytes JMP 5FDC0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!SetClipboardData 77352962 6 Bytes JMP 5FDF0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!GetKeyboardState 77366946 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!GetKeyboardState + 4 7736694A 2 Bytes [C5, 5F] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!AttachThreadInput 77366B54 3 Bytes [FF, 25, 1E] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!AttachThreadInput + 4 77366B58 2 Bytes [C2, 5F] .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!SetWindowsHookExA 77366D0C 6 Bytes JMP 5FB20F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] USER32.dll!DdeConnect 7737EB5B 6 Bytes JMP 5FCA0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] advapi32.dll!StartServiceW 75B57974 6 Bytes JMP 5F490F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] advapi32.dll!OpenServiceW 75B5CA4C 6 Bytes JMP 5F430F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] advapi32.dll!OpenServiceA 75B62BF0 6 Bytes JMP 5F400F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] advapi32.dll!CloseServiceHandle 75B6369C 6 Bytes JMP 5F310F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] advapi32.dll!CreateServiceW 75B7712C 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] advapi32.dll!ControlService 75B77144 6 Bytes JMP 5F340F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] advapi32.dll!DeleteService 75B7715C 6 Bytes JMP 5F3D0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] advapi32.dll!ChangeServiceConfig2A 75B930C8 6 Bytes JMP 5F2B0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] advapi32.dll!ChangeServiceConfig2W 75B930D8 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] advapi32.dll!ChangeServiceConfigA 75B930E8 6 Bytes JMP 5F250F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] advapi32.dll!ChangeServiceConfigW 75B930F8 6 Bytes JMP 5F280F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] advapi32.dll!CreateServiceA 75B93158 6 Bytes JMP 5F370F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] advapi32.dll!StartServiceA 75B93543 6 Bytes JMP 5F460F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] advapi32.dll!LsaAddAccountRights 75B98819 6 Bytes JMP 5F4C0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] advapi32.dll!LsaRemoveAccountRights 75B988B1 6 Bytes JMP 5F4F0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] WS2_32.dll!sendto 772F34B5 6 Bytes JMP 5F100F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] WS2_32.dll!closesocket 772F3918 6 Bytes JMP 5F220F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] WS2_32.dll!WSASend 772F4406 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] WS2_32.dll!recv 772F6B0E 6 Bytes JMP 5F070F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] WS2_32.dll!connect 772F6BDD 6 Bytes JMP 5F040F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] WS2_32.dll!send 772F6F01 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] WS2_32.dll!WSARecv 772F7089 6 Bytes JMP 5F160F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] WS2_32.dll!recvfrom 772FB6DC 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] WS2_32.dll!WSARecvFrom 772FCBA6 6 Bytes JMP 5F190F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] WS2_32.dll!WSAConnect 772FCC3F 6 Bytes JMP 5F130F5A .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[108] WS2_32.dll!WSASendTo 7730B30C 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtClose 775854C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtClose + 4 775854CC 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtCreateFile 775855C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtCreateFile + 4 775855CC 2 Bytes [6B, 5F] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtCreateKey 77585608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtCreateKey + 4 7758560C 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtDeleteFile 77585808 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtDeleteFile + 4 7758580C 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtDeleteKey 77585818 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtDeleteKey + 4 7758581C 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtDeleteValueKey 77585848 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtDeleteValueKey + 4 7758584C 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtDuplicateObject 77585898 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtDuplicateObject + 4 7758589C 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtEnumerateKey 775858E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtEnumerateKey + 4 775858EC 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtEnumerateValueKey 77585918 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtEnumerateValueKey + 4 7758591C 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtLoadDriver 77585B58 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtLoadDriver + 4 77585B5C 2 Bytes [83, 5F] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtOpenFile 77585CD8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtOpenFile + 4 77585CDC 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtQueryMultipleValueKey 77586108 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtQueryMultipleValueKey + 4 7758610C 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtQueryValueKey 77586248 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtQueryValueKey + 4 7758624C 2 Bytes [62, 5F] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtReadFile 775862B8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtReadFile + 4 775862BC 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtSetContextThread 77586568 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtSetContextThread + 4 7758656C 2 Bytes [80, 5F] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtSetInformationFile 77586638 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtSetInformationFile + 4 7758663C 2 Bytes [77, 5F] {JA 0x61} .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtSetValueKey 77586808 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtSetValueKey + 4 7758680C 2 Bytes [65, 5F] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtUnloadKey 77586968 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtUnloadKey + 4 7758696C 2 Bytes [68, 5F] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtWriteFile 77586A68 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtWriteFile + 4 77586A6C 2 Bytes [7A, 5F] {JP 0x61} .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtWriteVirtualMemory 77586A98 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ntdll.dll!NtWriteVirtualMemory + 4 77586A9C 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] kernel32.dll!CopyFileExW 7749B238 6 Bytes JMP 5F3D0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] kernel32.dll!CreateFileMappingW 774A120C 6 Bytes JMP 5F400F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] kernel32.dll!TerminateProcess 774A2BBD 6 Bytes JMP 5F310F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] kernel32.dll!MoveFileWithProgressW 774A8D8C 6 Bytes JMP 5F460F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] kernel32.dll!MapViewOfFile 774A93DB 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] kernel32.dll!CreateFileMappingA 774A9C0E 6 Bytes JMP 5F370F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] kernel32.dll!MapViewOfFileEx 774AD7EC 6 Bytes JMP 5F340F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] kernel32.dll!CreateRemoteThread 774EFAF3 6 Bytes JMP 5F430F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!CreateAcceleratorTableW 77339794 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!CreateAcceleratorTableW + 4 77339798 2 Bytes [B6, 5F] {MOV DH, 0x5f} .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!GetAsyncKeyState 7733A256 6 Bytes JMP 5F9D0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!BeginDeferWindowPos 7733A6A6 6 Bytes JMP 5F940F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!PostMessageA 7733B446 6 Bytes JMP 5FAF0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!SetWindowsHookExW 7733E30C 6 Bytes JMP 5FB80F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!SetWinEventHook 773424DC 6 Bytes JMP 5FB20F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!GetKeyState 77342B4D 6 Bytes JMP 5FA60F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!DispatchMessageA 77342E32 6 Bytes JMP 5F970F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!PostMessageW 7734447B 6 Bytes JMP 5FAC0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!TranslateMessage 773464C7 6 Bytes JMP 5F9A0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!DispatchMessageW 7734CC61 6 Bytes JMP 5FBB0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!SetClipboardData 77352962 6 Bytes JMP 5FBE0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!GetKeyboardState 77366946 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!GetKeyboardState + 4 7736694A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!AttachThreadInput 77366B54 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!AttachThreadInput + 4 77366B58 2 Bytes [A1, 5F] .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!SetWindowsHookExA 77366D0C 6 Bytes JMP 5F910F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] USER32.dll!DdeConnect 7737EB5B 6 Bytes JMP 5FA90F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ADVAPI32.dll!StartServiceW 75B57974 6 Bytes JMP 5F280F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ADVAPI32.dll!OpenServiceW 75B5CA4C 6 Bytes JMP 5F220F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ADVAPI32.dll!OpenServiceA 75B62BF0 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ADVAPI32.dll!CloseServiceHandle 75B6369C 6 Bytes JMP 5F100F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ADVAPI32.dll!CreateServiceW 75B7712C 6 Bytes JMP 5F190F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ADVAPI32.dll!ControlService 75B77144 6 Bytes JMP 5F130F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ADVAPI32.dll!DeleteService 75B7715C 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ADVAPI32.dll!ChangeServiceConfig2A 75B930C8 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ADVAPI32.dll!ChangeServiceConfig2W 75B930D8 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ADVAPI32.dll!ChangeServiceConfigA 75B930E8 6 Bytes JMP 5F040F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ADVAPI32.dll!ChangeServiceConfigW 75B930F8 6 Bytes JMP 5F070F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ADVAPI32.dll!CreateServiceA 75B93158 6 Bytes JMP 5F160F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ADVAPI32.dll!StartServiceA 75B93543 6 Bytes JMP 5F250F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ADVAPI32.dll!LsaAddAccountRights 75B98819 6 Bytes JMP 5F2B0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ADVAPI32.dll!LsaRemoveAccountRights 75B988B1 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ole32.dll!CLSIDFromProgIDEx 77170782 6 Bytes JMP 5F850F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ole32.dll!CLSIDFromProgID 7718503C 6 Bytes JMP 5F880F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ole32.dll!CoGetClassObject 771954AD 6 Bytes JMP 5F8B0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] ole32.dll!CoCreateInstanceEx 771A9D4E 6 Bytes JMP 5F8E0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] WS2_32.dll!sendto 772F34B5 6 Bytes JMP 5FCD0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] WS2_32.dll!closesocket 772F3918 6 Bytes JMP 5FDF0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] WS2_32.dll!WSASend 772F4406 6 Bytes JMP 5FD90F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] WS2_32.dll!recv 772F6B0E 6 Bytes JMP 5FC40F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] WS2_32.dll!connect 772F6BDD 6 Bytes JMP 5FC10F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] WS2_32.dll!send 772F6F01 6 Bytes JMP 5FCA0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] WS2_32.dll!WSARecv 772F7089 6 Bytes JMP 5FD30F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] WS2_32.dll!recvfrom 772FB6DC 6 Bytes JMP 5FC70F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] WS2_32.dll!WSARecvFrom 772FCBA6 6 Bytes JMP 5FD60F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] WS2_32.dll!WSAConnect 772FCC3F 6 Bytes JMP 5FD00F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[208] WS2_32.dll!WSASendTo 7730B30C 6 Bytes JMP 5FDC0F5A .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtClose 775854C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtClose + 4 775854CC 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtCreateFile 775855C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtCreateFile + 4 775855CC 2 Bytes [6B, 5F] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtCreateKey 77585608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtCreateKey + 4 7758560C 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtDeleteFile 77585808 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtDeleteFile + 4 7758580C 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtDeleteKey 77585818 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtDeleteKey + 4 7758581C 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtDeleteValueKey 77585848 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtDeleteValueKey + 4 7758584C 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtDuplicateObject 77585898 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtDuplicateObject + 4 7758589C 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtEnumerateKey 775858E8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtEnumerateKey + 4 775858EC 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtEnumerateValueKey 77585918 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtEnumerateValueKey + 4 7758591C 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtLoadDriver 77585B58 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtLoadDriver + 4 77585B5C 2 Bytes [83, 5F] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtOpenFile 77585CD8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtOpenFile + 4 77585CDC 2 Bytes [71, 5F] {JNO 0x61} .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtQueryMultipleValueKey 77586108 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtQueryMultipleValueKey + 4 7758610C 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtQueryValueKey 77586248 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtQueryValueKey + 4 7758624C 2 Bytes [62, 5F] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtReadFile 775862B8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtReadFile + 4 775862BC 2 Bytes [74, 5F] {JZ 0x61} .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtSetContextThread 77586568 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtSetContextThread + 4 7758656C 2 Bytes [80, 5F] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtSetInformationFile 77586638 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtSetInformationFile + 4 7758663C 2 Bytes [77, 5F] {JA 0x61} .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtSetValueKey 77586808 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtSetValueKey + 4 7758680C 2 Bytes [65, 5F] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtUnloadKey 77586968 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtUnloadKey + 4 7758696C 2 Bytes [68, 5F] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtWriteFile 77586A68 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtWriteFile + 4 77586A6C 2 Bytes [7A, 5F] {JP 0x61} .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtWriteVirtualMemory 77586A98 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] ntdll.dll!NtWriteVirtualMemory + 4 77586A9C 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Windows\system32\lsm.exe[592] kernel32.dll!CopyFileExW 7749B238 6 Bytes JMP 5F3D0F5A .text C:\Windows\system32\lsm.exe[592] kernel32.dll!CreateFileMappingW 774A120C 6 Bytes JMP 5F400F5A .text C:\Windows\system32\lsm.exe[592] kernel32.dll!TerminateProcess 774A2BBD 6 Bytes JMP 5F310F5A .text C:\Windows\system32\lsm.exe[592] kernel32.dll!MoveFileWithProgressW 774A8D8C 6 Bytes JMP 5F460F5A .text C:\Windows\system32\lsm.exe[592] kernel32.dll!MapViewOfFile 774A93DB 6 Bytes JMP 5F3A0F5A .text C:\Windows\system32\lsm.exe[592] kernel32.dll!CreateFileMappingA 774A9C0E 6 Bytes JMP 5F370F5A .text C:\Windows\system32\lsm.exe[592] kernel32.dll!MapViewOfFileEx 774AD7EC 6 Bytes JMP 5F340F5A .text C:\Windows\system32\lsm.exe[592] kernel32.dll!CreateRemoteThread 774EFAF3 6 Bytes JMP 5F430F5A .text C:\Windows\system32\lsm.exe[592] ADVAPI32.dll!StartServiceW 75B57974 6 Bytes JMP 5F280F5A .text C:\Windows\system32\lsm.exe[592] ADVAPI32.dll!OpenServiceW 75B5CA4C 6 Bytes JMP 5F220F5A .text C:\Windows\system32\lsm.exe[592] ADVAPI32.dll!OpenServiceA 75B62BF0 6 Bytes JMP 5F1F0F5A .text C:\Windows\system32\lsm.exe[592] ADVAPI32.dll!CloseServiceHandle 75B6369C 6 Bytes JMP 5F100F5A .text C:\Windows\system32\lsm.exe[592] ADVAPI32.dll!CreateServiceW 75B7712C 6 Bytes JMP 5F190F5A .text C:\Windows\system32\lsm.exe[592] ADVAPI32.dll!ControlService 75B77144 6 Bytes JMP 5F130F5A .text C:\Windows\system32\lsm.exe[592] ADVAPI32.dll!DeleteService 75B7715C 6 Bytes JMP 5F1C0F5A .text C:\Windows\system32\lsm.exe[592] ADVAPI32.dll!ChangeServiceConfig2A 75B930C8 6 Bytes JMP 5F0A0F5A .text C:\Windows\system32\lsm.exe[592] ADVAPI32.dll!ChangeServiceConfig2W 75B930D8 6 Bytes JMP 5F0D0F5A .text C:\Windows\system32\lsm.exe[592] ADVAPI32.dll!ChangeServiceConfigA 75B930E8 6 Bytes JMP 5F040F5A .text C:\Windows\system32\lsm.exe[592] ADVAPI32.dll!ChangeServiceConfigW 75B930F8 6 Bytes JMP 5F070F5A .text C:\Windows\system32\lsm.exe[592] ADVAPI32.dll!CreateServiceA 75B93158 6 Bytes JMP 5F160F5A .text C:\Windows\system32\lsm.exe[592] ADVAPI32.dll!StartServiceA 75B93543 6 Bytes JMP 5F250F5A .text C:\Windows\system32\lsm.exe[592] ADVAPI32.dll!LsaAddAccountRights 75B98819 6 Bytes JMP 5F2B0F5A .text C:\Windows\system32\lsm.exe[592] ADVAPI32.dll!LsaRemoveAccountRights 75B988B1 6 Bytes JMP 5F2E0F5A .text C:\Windows\system32\lsm.exe[592] USER32.dll!CreateAcceleratorTableW 77339794 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] USER32.dll!CreateAcceleratorTableW + 4 77339798 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\Windows\system32\lsm.exe[592] USER32.dll!GetAsyncKeyState 7733A256 6 Bytes JMP 5F970F5A .text C:\Windows\system32\lsm.exe[592] USER32.dll!BeginDeferWindowPos 7733A6A6 6 Bytes JMP 5F8E0F5A .text C:\Windows\system32\lsm.exe[592] USER32.dll!PostMessageA 7733B446 6 Bytes JMP 5FA90F5A .text C:\Windows\system32\lsm.exe[592] USER32.dll!SetWindowsHookExW 7733E30C 6 Bytes JMP 5FB20F5A .text C:\Windows\system32\lsm.exe[592] USER32.dll!SetWinEventHook 773424DC 6 Bytes JMP 5FAC0F5A .text C:\Windows\system32\lsm.exe[592] USER32.dll!GetKeyState 77342B4D 6 Bytes JMP 5FA00F5A .text C:\Windows\system32\lsm.exe[592] USER32.dll!DispatchMessageA 77342E32 6 Bytes JMP 5F910F5A .text C:\Windows\system32\lsm.exe[592] USER32.dll!PostMessageW 7734447B 6 Bytes JMP 5FA60F5A .text C:\Windows\system32\lsm.exe[592] USER32.dll!TranslateMessage 773464C7 6 Bytes JMP 5F940F5A .text C:\Windows\system32\lsm.exe[592] USER32.dll!DispatchMessageW 7734CC61 6 Bytes JMP 5FB50F5A .text C:\Windows\system32\lsm.exe[592] USER32.dll!SetClipboardData 77352962 6 Bytes JMP 5FB80F5A .text C:\Windows\system32\lsm.exe[592] USER32.dll!GetKeyboardState 77366946 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] USER32.dll!GetKeyboardState + 4 7736694A 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Windows\system32\lsm.exe[592] USER32.dll!AttachThreadInput 77366B54 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[592] USER32.dll!AttachThreadInput + 4 77366B58 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Windows\system32\lsm.exe[592] USER32.dll!SetWindowsHookExA 77366D0C 6 Bytes JMP 5F8B0F5A .text C:\Windows\system32\lsm.exe[592] USER32.dll!DdeConnect 7737EB5B 6 Bytes JMP 5FA30F5A .text C:\Windows\system32\lsm.exe[592] ole32.dll!CLSIDFromProgIDEx 77170782 6 Bytes JMP 5F850F5A .text C:\Windows\system32\lsm.exe[592] ole32.dll!CLSIDFromProgID 7718503C 6 Bytes JMP 5F880F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtClose 775854C8 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtClose + 4 775854CC 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtCreateFile 775855C8 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtCreateFile + 4 775855CC 2 Bytes [6B, 5F] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtCreateKey 77585608 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtCreateKey + 4 7758560C 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtDeleteFile 77585808 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtDeleteFile + 4 7758580C 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtDeleteKey 77585818 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtDeleteKey + 4 7758581C 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtDeleteValueKey 77585848 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtDeleteValueKey + 4 7758584C 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtDuplicateObject 77585898 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtDuplicateObject + 4 7758589C 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtEnumerateKey 775858E8 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtEnumerateKey + 4 775858EC 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtEnumerateValueKey 77585918 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtEnumerateValueKey + 4 7758591C 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtLoadDriver 77585B58 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtLoadDriver + 4 77585B5C 2 Bytes [83, 5F] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtOpenFile 77585CD8 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtOpenFile + 4 77585CDC 2 Bytes [71, 5F] {JNO 0x61} .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtQueryMultipleValueKey 77586108 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtQueryMultipleValueKey + 4 7758610C 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtQueryValueKey 77586248 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtQueryValueKey + 4 7758624C 2 Bytes [62, 5F] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtReadFile 775862B8 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtReadFile + 4 775862BC 2 Bytes [74, 5F] {JZ 0x61} .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtSetContextThread 77586568 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtSetContextThread + 4 7758656C 2 Bytes [80, 5F] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtSetInformationFile 77586638 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtSetInformationFile + 4 7758663C 2 Bytes [77, 5F] {JA 0x61} .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtSetValueKey 77586808 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtSetValueKey + 4 7758680C 2 Bytes [65, 5F] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtUnloadKey 77586968 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtUnloadKey + 4 7758696C 2 Bytes [68, 5F] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtWriteFile 77586A68 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtWriteFile + 4 77586A6C 2 Bytes [7A, 5F] {JP 0x61} .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtWriteVirtualMemory 77586A98 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ntdll.dll!NtWriteVirtualMemory + 4 77586A9C 2 Bytes [7D, 5F] {JGE 0x61} .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] kernel32.dll!CopyFileExW 7749B238 6 Bytes JMP 5F3D0F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] kernel32.dll!CreateFileMappingW 774A120C 6 Bytes JMP 5F400F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] kernel32.dll!TerminateProcess 774A2BBD 6 Bytes JMP 5F310F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] kernel32.dll!MoveFileWithProgressW 774A8D8C 6 Bytes JMP 5F460F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] kernel32.dll!MapViewOfFile 774A93DB 6 Bytes JMP 5F3A0F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] kernel32.dll!CreateFileMappingA 774A9C0E 6 Bytes JMP 5F370F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] kernel32.dll!MapViewOfFileEx 774AD7EC 6 Bytes JMP 5F340F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] kernel32.dll!CreateRemoteThread 774EFAF3 6 Bytes JMP 5F430F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ADVAPI32.dll!StartServiceW 75B57974 6 Bytes JMP 5F280F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ADVAPI32.dll!OpenServiceW 75B5CA4C 6 Bytes JMP 5F220F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ADVAPI32.dll!OpenServiceA 75B62BF0 6 Bytes JMP 5F1F0F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ADVAPI32.dll!CloseServiceHandle 75B6369C 6 Bytes JMP 5F100F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ADVAPI32.dll!CreateServiceW 75B7712C 6 Bytes JMP 5F190F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ADVAPI32.dll!ControlService 75B77144 6 Bytes JMP 5F130F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ADVAPI32.dll!DeleteService 75B7715C 6 Bytes JMP 5F1C0F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ADVAPI32.dll!ChangeServiceConfig2A 75B930C8 6 Bytes JMP 5F0A0F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ADVAPI32.dll!ChangeServiceConfig2W 75B930D8 6 Bytes JMP 5F0D0F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ADVAPI32.dll!ChangeServiceConfigA 75B930E8 6 Bytes JMP 5F040F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ADVAPI32.dll!ChangeServiceConfigW 75B930F8 6 Bytes JMP 5F070F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ADVAPI32.dll!CreateServiceA 75B93158 6 Bytes JMP 5F160F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ADVAPI32.dll!StartServiceA 75B93543 6 Bytes JMP 5F250F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ADVAPI32.dll!LsaAddAccountRights 75B98819 6 Bytes JMP 5F2B0F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ADVAPI32.dll!LsaRemoveAccountRights 75B988B1 6 Bytes JMP 5F2E0F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!CreateAcceleratorTableW 77339794 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!CreateAcceleratorTableW + 4 77339798 2 Bytes [B6, 5F] {MOV DH, 0x5f} .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!GetAsyncKeyState 7733A256 6 Bytes JMP 5F9D0F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!BeginDeferWindowPos 7733A6A6 6 Bytes JMP 5F940F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!PostMessageA 7733B446 6 Bytes JMP 5FAF0F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!SetWindowsHookExW 7733E30C 6 Bytes JMP 5FB80F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!SetWinEventHook 773424DC 6 Bytes JMP 5FB20F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!GetKeyState 77342B4D 6 Bytes JMP 5FA60F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!DispatchMessageA 77342E32 6 Bytes JMP 5F970F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!PostMessageW 7734447B 6 Bytes JMP 5FAC0F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!TranslateMessage 773464C7 6 Bytes JMP 5F9A0F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!DispatchMessageW 7734CC61 6 Bytes JMP 5FBB0F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!SetClipboardData 77352962 6 Bytes JMP 5FBE0F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!GetKeyboardState 77366946 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!GetKeyboardState + 4 7736694A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!AttachThreadInput 77366B54 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!AttachThreadInput + 4 77366B58 2 Bytes [A1, 5F] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!SetWindowsHookExA 77366D0C 6 Bytes JMP 5F910F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] USER32.dll!DdeConnect 7737EB5B 6 Bytes JMP 5FA90F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ole32.dll!CLSIDFromProgIDEx 77170782 6 Bytes JMP 5F850F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ole32.dll!CLSIDFromProgID 7718503C 6 Bytes JMP 5F880F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ole32.dll!CoGetClassObject 771954AD 6 Bytes JMP 5F8B0F5A .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[772] ole32.dll!CoCreateInstanceEx 771A9D4E 6 Bytes JMP 5F8E0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtClose 775854C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtClose + 4 775854CC 2 Bytes [6B, 5F] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtCreateFile 775855C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtCreateFile + 4 775855CC 2 Bytes [8C, 5F] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtCreateKey 77585608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtCreateKey + 4 7758560C 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtDeleteFile 77585808 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtDeleteFile + 4 7758580C 2 Bytes [8F, 5F] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtDeleteKey 77585818 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtDeleteKey + 4 7758581C 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtDeleteValueKey 77585848 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtDeleteValueKey + 4 7758584C 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtDuplicateObject 77585898 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtDuplicateObject + 4 7758589C 2 Bytes [77, 5F] {JA 0x61} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtEnumerateKey 775858E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtEnumerateKey + 4 775858EC 2 Bytes [7A, 5F] {JP 0x61} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtEnumerateValueKey 77585918 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtEnumerateValueKey + 4 7758591C 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtLoadDriver 77585B58 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtLoadDriver + 4 77585B5C 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtOpenFile 77585CD8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtOpenFile + 4 77585CDC 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtQueryMultipleValueKey 77586108 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtQueryMultipleValueKey + 4 7758610C 2 Bytes [80, 5F] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtQueryValueKey 77586248 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtQueryValueKey + 4 7758624C 2 Bytes [83, 5F] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtReadFile 775862B8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtReadFile + 4 775862BC 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtSetContextThread 77586568 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtSetContextThread + 4 7758656C 2 Bytes [A1, 5F] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtSetInformationFile 77586638 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtSetInformationFile + 4 7758663C 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtSetValueKey 77586808 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtSetValueKey + 4 7758680C 2 Bytes [86, 5F] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtUnloadKey 77586968 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtUnloadKey + 4 7758696C 2 Bytes [89, 5F] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtWriteFile 77586A68 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtWriteFile + 4 77586A6C 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtWriteVirtualMemory 77586A98 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ntdll.dll!NtWriteVirtualMemory + 4 77586A9C 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] kernel32.dll!CopyFileExW 7749B238 6 Bytes JMP 5F5E0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] kernel32.dll!CreateFileMappingW 774A120C 6 Bytes JMP 5F610F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] kernel32.dll!TerminateProcess 774A2BBD 6 Bytes JMP 5F520F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] kernel32.dll!MoveFileWithProgressW 774A8D8C 6 Bytes JMP 5F670F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] kernel32.dll!MapViewOfFile 774A93DB 6 Bytes JMP 5F5B0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] kernel32.dll!CreateFileMappingA 774A9C0E 6 Bytes JMP 5F580F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] kernel32.dll!MapViewOfFileEx 774AD7EC 6 Bytes JMP 5F550F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] kernel32.dll!CreateRemoteThread 774EFAF3 6 Bytes JMP 5F640F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ADVAPI32.dll!StartServiceW 75B57974 6 Bytes JMP 5F490F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ADVAPI32.dll!OpenServiceW 75B5CA4C 6 Bytes JMP 5F430F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ADVAPI32.dll!OpenServiceA 75B62BF0 6 Bytes JMP 5F400F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ADVAPI32.dll!CloseServiceHandle 75B6369C 6 Bytes JMP 5F310F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ADVAPI32.dll!CreateServiceW 75B7712C 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ADVAPI32.dll!ControlService 75B77144 6 Bytes JMP 5F340F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ADVAPI32.dll!DeleteService 75B7715C 6 Bytes JMP 5F3D0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ADVAPI32.dll!ChangeServiceConfig2A 75B930C8 6 Bytes JMP 5F2B0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ADVAPI32.dll!ChangeServiceConfig2W 75B930D8 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ADVAPI32.dll!ChangeServiceConfigA 75B930E8 6 Bytes JMP 5F250F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ADVAPI32.dll!ChangeServiceConfigW 75B930F8 6 Bytes JMP 5F280F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ADVAPI32.dll!CreateServiceA 75B93158 6 Bytes JMP 5F370F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ADVAPI32.dll!StartServiceA 75B93543 6 Bytes JMP 5F460F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ADVAPI32.dll!LsaAddAccountRights 75B98819 6 Bytes JMP 5F4C0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ADVAPI32.dll!LsaRemoveAccountRights 75B988B1 6 Bytes JMP 5F4F0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!CreateAcceleratorTableW 77339794 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!CreateAcceleratorTableW + 4 77339798 2 Bytes [D7, 5F] {XLATB ; POP EDI} .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!GetAsyncKeyState 7733A256 6 Bytes JMP 5FBE0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!BeginDeferWindowPos 7733A6A6 6 Bytes JMP 5FB50F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!PostMessageA 7733B446 6 Bytes JMP 5FD00F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!SetWindowsHookExW 7733E30C 6 Bytes JMP 5FD90F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!SetWinEventHook 773424DC 6 Bytes JMP 5FD30F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!GetKeyState 77342B4D 6 Bytes JMP 5FC70F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!DispatchMessageA 77342E32 6 Bytes JMP 5FB80F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!PostMessageW 7734447B 6 Bytes JMP 5FCD0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!TranslateMessage 773464C7 6 Bytes JMP 5FBB0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!DispatchMessageW 7734CC61 6 Bytes JMP 5FDC0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!SetClipboardData 77352962 6 Bytes JMP 5FDF0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!GetKeyboardState 77366946 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!GetKeyboardState + 4 7736694A 2 Bytes [C5, 5F] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!AttachThreadInput 77366B54 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!AttachThreadInput + 4 77366B58 2 Bytes [C2, 5F] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!SetWindowsHookExA 77366D0C 6 Bytes JMP 5FB20F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] USER32.dll!DdeConnect 7737EB5B 6 Bytes JMP 5FCA0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] WS2_32.dll!sendto 772F34B5 6 Bytes JMP 5F100F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] WS2_32.dll!closesocket 772F3918 6 Bytes JMP 5F220F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] WS2_32.dll!WSASend 772F4406 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] WS2_32.dll!recv 772F6B0E 6 Bytes JMP 5F070F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] WS2_32.dll!connect 772F6BDD 6 Bytes JMP 5F040F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] WS2_32.dll!send 772F6F01 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] WS2_32.dll!WSARecv 772F7089 6 Bytes JMP 5F160F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] WS2_32.dll!recvfrom 772FB6DC 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] WS2_32.dll!WSARecvFrom 772FCBA6 6 Bytes JMP 5F190F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] WS2_32.dll!WSAConnect 772FCC3F 6 Bytes JMP 5F130F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] WS2_32.dll!WSASendTo 7730B30C 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ole32.dll!CLSIDFromProgIDEx 77170782 6 Bytes JMP 5FA60F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ole32.dll!CLSIDFromProgID 7718503C 6 Bytes JMP 5FA90F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ole32.dll!CoGetClassObject 771954AD 6 Bytes JMP 5FAC0F5A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[792] ole32.dll!CoCreateInstanceEx 771A9D4E 6 Bytes JMP 5FAF0F5A .text C:\Windows\system32\svchost.exe[1024] ntdll.dll!NtProtectVirtualMemory 77585F18 5 Bytes JMP 0032000A .text C:\Windows\system32\svchost.exe[1024] ntdll.dll!NtWriteVirtualMemory 77586A98 5 Bytes JMP 0054000A .text C:\Windows\system32\svchost.exe[1024] ntdll.dll!KiUserExceptionDispatcher 77587008 5 Bytes JMP 0031000A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtClose 775854C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtClose + 4 775854CC 2 Bytes [6B, 5F] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtCreateFile 775855C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtCreateFile + 4 775855CC 2 Bytes [8C, 5F] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtCreateKey 77585608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtCreateKey + 4 7758560C 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtDeleteFile 77585808 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtDeleteFile + 4 7758580C 2 Bytes [8F, 5F] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtDeleteKey 77585818 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtDeleteKey + 4 7758581C 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtDeleteValueKey 77585848 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtDeleteValueKey + 4 7758584C 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtDuplicateObject 77585898 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtDuplicateObject + 4 7758589C 2 Bytes [77, 5F] {JA 0x61} .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtEnumerateKey 775858E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtEnumerateKey + 4 775858EC 2 Bytes [7A, 5F] {JP 0x61} .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtEnumerateValueKey 77585918 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtEnumerateValueKey + 4 7758591C 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtLoadDriver 77585B58 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtLoadDriver + 4 77585B5C 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtOpenFile 77585CD8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtOpenFile + 4 77585CDC 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtQueryMultipleValueKey 77586108 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtQueryMultipleValueKey + 4 7758610C 2 Bytes [80, 5F] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtQueryValueKey 77586248 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtQueryValueKey + 4 7758624C 2 Bytes [83, 5F] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtReadFile 775862B8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtReadFile + 4 775862BC 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtSetContextThread 77586568 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtSetContextThread + 4 7758656C 2 Bytes [A1, 5F] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtSetInformationFile 77586638 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtSetInformationFile + 4 7758663C 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtSetValueKey 77586808 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtSetValueKey + 4 7758680C 2 Bytes [86, 5F] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtUnloadKey 77586968 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtUnloadKey + 4 7758696C 2 Bytes [89, 5F] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtWriteFile 77586A68 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtWriteFile + 4 77586A6C 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtWriteVirtualMemory 77586A98 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ntdll.dll!NtWriteVirtualMemory + 4 77586A9C 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] kernel32.dll!CopyFileExW 7749B238 6 Bytes JMP 5F5E0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] kernel32.dll!CreateFileMappingW 774A120C 6 Bytes JMP 5F610F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] kernel32.dll!TerminateProcess 774A2BBD 6 Bytes JMP 5F520F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] kernel32.dll!MoveFileWithProgressW 774A8D8C 6 Bytes JMP 5F670F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] kernel32.dll!MapViewOfFile 774A93DB 6 Bytes JMP 5F5B0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] kernel32.dll!CreateFileMappingA 774A9C0E 6 Bytes JMP 5F580F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] kernel32.dll!MapViewOfFileEx 774AD7EC 6 Bytes JMP 5F550F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] kernel32.dll!CreateRemoteThread 774EFAF3 6 Bytes JMP 5F640F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] WS2_32.dll!sendto 772F34B5 6 Bytes JMP 5F100F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] WS2_32.dll!closesocket 772F3918 6 Bytes JMP 5F220F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] WS2_32.dll!WSASend 772F4406 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] WS2_32.dll!recv 772F6B0E 6 Bytes JMP 5F070F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] WS2_32.dll!connect 772F6BDD 6 Bytes JMP 5F040F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] WS2_32.dll!send 772F6F01 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] WS2_32.dll!WSARecv 772F7089 6 Bytes JMP 5F160F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] WS2_32.dll!recvfrom 772FB6DC 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] WS2_32.dll!WSARecvFrom 772FCBA6 6 Bytes JMP 5F190F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] WS2_32.dll!WSAConnect 772FCC3F 6 Bytes JMP 5F130F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] WS2_32.dll!WSASendTo 7730B30C 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ADVAPI32.dll!StartServiceW 75B57974 6 Bytes JMP 5F490F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ADVAPI32.dll!OpenServiceW 75B5CA4C 6 Bytes JMP 5F430F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ADVAPI32.dll!OpenServiceA 75B62BF0 6 Bytes JMP 5F400F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ADVAPI32.dll!CloseServiceHandle 75B6369C 6 Bytes JMP 5F310F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ADVAPI32.dll!CreateServiceW 75B7712C 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ADVAPI32.dll!ControlService 75B77144 6 Bytes JMP 5F340F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ADVAPI32.dll!DeleteService 75B7715C 6 Bytes JMP 5F3D0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ADVAPI32.dll!ChangeServiceConfig2A 75B930C8 6 Bytes JMP 5F2B0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ADVAPI32.dll!ChangeServiceConfig2W 75B930D8 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ADVAPI32.dll!ChangeServiceConfigA 75B930E8 6 Bytes JMP 5F250F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ADVAPI32.dll!ChangeServiceConfigW 75B930F8 6 Bytes JMP 5F280F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ADVAPI32.dll!CreateServiceA 75B93158 6 Bytes JMP 5F370F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ADVAPI32.dll!StartServiceA 75B93543 6 Bytes JMP 5F460F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ADVAPI32.dll!LsaAddAccountRights 75B98819 6 Bytes JMP 5F4C0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ADVAPI32.dll!LsaRemoveAccountRights 75B988B1 6 Bytes JMP 5F4F0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!CreateAcceleratorTableW 77339794 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!CreateAcceleratorTableW + 4 77339798 2 Bytes [D7, 5F] {XLATB ; POP EDI} .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!GetAsyncKeyState 7733A256 6 Bytes JMP 5FBE0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!BeginDeferWindowPos 7733A6A6 6 Bytes JMP 5FB50F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!PostMessageA 7733B446 6 Bytes JMP 5FD00F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!SetWindowsHookExW 7733E30C 6 Bytes JMP 5FD90F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!SetWinEventHook 773424DC 6 Bytes JMP 5FD30F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!GetKeyState 77342B4D 6 Bytes JMP 5FC70F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!DispatchMessageA 77342E32 6 Bytes JMP 5FB80F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!PostMessageW 7734447B 6 Bytes JMP 5FCD0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!TranslateMessage 773464C7 6 Bytes JMP 5FBB0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!DispatchMessageW 7734CC61 6 Bytes JMP 5FDC0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!SetClipboardData 77352962 6 Bytes JMP 5FDF0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!GetKeyboardState 77366946 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!GetKeyboardState + 4 7736694A 2 Bytes [C5, 5F] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!AttachThreadInput 77366B54 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!AttachThreadInput + 4 77366B58 2 Bytes [C2, 5F] .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!SetWindowsHookExA 77366D0C 6 Bytes JMP 5FB20F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] USER32.dll!DdeConnect 7737EB5B 6 Bytes JMP 5FCA0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ole32.dll!CLSIDFromProgIDEx 77170782 6 Bytes JMP 5FA60F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ole32.dll!CLSIDFromProgID 7718503C 6 Bytes JMP 5FA90F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ole32.dll!CoGetClassObject 771954AD 6 Bytes JMP 5FAC0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[1312] ole32.dll!CoCreateInstanceEx 771A9D4E 6 Bytes JMP 5FAF0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtClose 775854C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtClose + 4 775854CC 2 Bytes [6B, 5F] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtCreateFile 775855C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtCreateFile + 4 775855CC 2 Bytes [8C, 5F] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtCreateKey 77585608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtCreateKey + 4 7758560C 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtDeleteFile 77585808 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtDeleteFile + 4 7758580C 2 Bytes [8F, 5F] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtDeleteKey 77585818 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtDeleteKey + 4 7758581C 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtDeleteValueKey 77585848 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtDeleteValueKey + 4 7758584C 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtDuplicateObject 77585898 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtDuplicateObject + 4 7758589C 2 Bytes [77, 5F] {JA 0x61} .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtEnumerateKey 775858E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtEnumerateKey + 4 775858EC 2 Bytes [7A, 5F] {JP 0x61} .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtEnumerateValueKey 77585918 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtEnumerateValueKey + 4 7758591C 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtLoadDriver 77585B58 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtLoadDriver + 4 77585B5C 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtOpenFile 77585CD8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtOpenFile + 4 77585CDC 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtQueryMultipleValueKey 77586108 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtQueryMultipleValueKey + 4 7758610C 2 Bytes [80, 5F] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtQueryValueKey 77586248 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtQueryValueKey + 4 7758624C 2 Bytes [83, 5F] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtReadFile 775862B8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtReadFile + 4 775862BC 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtSetContextThread 77586568 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtSetContextThread + 4 7758656C 2 Bytes [A1, 5F] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtSetInformationFile 77586638 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtSetInformationFile + 4 7758663C 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtSetValueKey 77586808 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtSetValueKey + 4 7758680C 2 Bytes [86, 5F] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtUnloadKey 77586968 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtUnloadKey + 4 7758696C 2 Bytes [89, 5F] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtWriteFile 77586A68 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtWriteFile + 4 77586A6C 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtWriteVirtualMemory 77586A98 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ntdll.dll!NtWriteVirtualMemory + 4 77586A9C 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] kernel32.dll!CopyFileExW 7749B238 6 Bytes JMP 5F5E0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] kernel32.dll!CreateFileMappingW 774A120C 6 Bytes JMP 5F610F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] kernel32.dll!TerminateProcess 774A2BBD 6 Bytes JMP 5F520F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] kernel32.dll!MoveFileWithProgressW 774A8D8C 6 Bytes JMP 5F670F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] kernel32.dll!MapViewOfFile 774A93DB 6 Bytes JMP 5F5B0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] kernel32.dll!CreateFileMappingA 774A9C0E 6 Bytes JMP 5F580F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] kernel32.dll!MapViewOfFileEx 774AD7EC 6 Bytes JMP 5F550F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] kernel32.dll!CreateRemoteThread 774EFAF3 6 Bytes JMP 5F640F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!CreateAcceleratorTableW 77339794 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!CreateAcceleratorTableW + 4 77339798 2 Bytes [D7, 5F] {XLATB ; POP EDI} .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!GetAsyncKeyState 7733A256 6 Bytes JMP 5FBE0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!BeginDeferWindowPos 7733A6A6 6 Bytes JMP 5FB50F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!PostMessageA 7733B446 6 Bytes JMP 5FD00F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!SetWindowsHookExW 7733E30C 6 Bytes JMP 5FD90F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!SetWinEventHook 773424DC 6 Bytes JMP 5FD30F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!GetKeyState 77342B4D 6 Bytes JMP 5FC70F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!DispatchMessageA 77342E32 6 Bytes JMP 5FB80F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!PostMessageW 7734447B 6 Bytes JMP 5FCD0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!TranslateMessage 773464C7 6 Bytes JMP 5FBB0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!DispatchMessageW 7734CC61 6 Bytes JMP 5FDC0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!SetClipboardData 77352962 6 Bytes JMP 5FDF0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!GetKeyboardState 77366946 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!GetKeyboardState + 4 7736694A 2 Bytes [C5, 5F] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!AttachThreadInput 77366B54 3 Bytes [FF, 25, 1E] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!AttachThreadInput + 4 77366B58 2 Bytes [C2, 5F] .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!SetWindowsHookExA 77366D0C 6 Bytes JMP 5FB20F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] USER32.dll!DdeConnect 7737EB5B 6 Bytes JMP 5FCA0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ole32.dll!CLSIDFromProgIDEx 77170782 6 Bytes JMP 5FA60F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ole32.dll!CLSIDFromProgID 7718503C 6 Bytes JMP 5FA90F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ole32.dll!CoGetClassObject 771954AD 6 Bytes JMP 5FAC0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ole32.dll!CoCreateInstanceEx 771A9D4E 6 Bytes JMP 5FAF0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ws2_32.dll!sendto 772F34B5 6 Bytes JMP 5F100F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ws2_32.dll!closesocket 772F3918 6 Bytes JMP 5F220F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ws2_32.dll!WSASend 772F4406 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ws2_32.dll!recv 772F6B0E 6 Bytes JMP 5F070F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ws2_32.dll!connect 772F6BDD 6 Bytes JMP 5F040F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ws2_32.dll!send 772F6F01 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ws2_32.dll!WSARecv 772F7089 6 Bytes JMP 5F160F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ws2_32.dll!recvfrom 772FB6DC 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ws2_32.dll!WSARecvFrom 772FCBA6 6 Bytes JMP 5F190F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ws2_32.dll!WSAConnect 772FCC3F 6 Bytes JMP 5F130F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ws2_32.dll!WSASendTo 7730B30C 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ADVAPI32.dll!StartServiceW 75B57974 6 Bytes JMP 5F490F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ADVAPI32.dll!OpenServiceW 75B5CA4C 6 Bytes JMP 5F430F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ADVAPI32.dll!OpenServiceA 75B62BF0 6 Bytes JMP 5F400F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ADVAPI32.dll!CloseServiceHandle 75B6369C 6 Bytes JMP 5F310F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ADVAPI32.dll!CreateServiceW 75B7712C 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ADVAPI32.dll!ControlService 75B77144 6 Bytes JMP 5F340F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ADVAPI32.dll!DeleteService 75B7715C 6 Bytes JMP 5F3D0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ADVAPI32.dll!ChangeServiceConfig2A 75B930C8 6 Bytes JMP 5F2B0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ADVAPI32.dll!ChangeServiceConfig2W 75B930D8 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ADVAPI32.dll!ChangeServiceConfigA 75B930E8 6 Bytes JMP 5F250F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ADVAPI32.dll!ChangeServiceConfigW 75B930F8 6 Bytes JMP 5F280F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ADVAPI32.dll!CreateServiceA 75B93158 6 Bytes JMP 5F370F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ADVAPI32.dll!StartServiceA 75B93543 6 Bytes JMP 5F460F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ADVAPI32.dll!LsaAddAccountRights 75B98819 6 Bytes JMP 5F4C0F5A .text C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe[2008] ADVAPI32.dll!LsaRemoveAccountRights 75B988B1 6 Bytes JMP 5F4F0F5A .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtClose 775854C8 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtClose + 4 775854CC 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtCreateFile 775855C8 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtCreateFile + 4 775855CC 2 Bytes [6B, 5F] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtCreateKey 77585608 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtCreateKey + 4 7758560C 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtDeleteFile 77585808 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtDeleteFile + 4 7758580C 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtDeleteKey 77585818 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtDeleteKey + 4 7758581C 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtDeleteValueKey 77585848 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtDeleteValueKey + 4 7758584C 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtDuplicateObject 77585898 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtDuplicateObject + 4 7758589C 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtEnumerateKey 775858E8 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtEnumerateKey + 4 775858EC 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtEnumerateValueKey 77585918 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtEnumerateValueKey + 4 7758591C 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtLoadDriver 77585B58 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtLoadDriver + 4 77585B5C 2 Bytes [83, 5F] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtOpenFile 77585CD8 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtOpenFile + 4 77585CDC 2 Bytes [71, 5F] {JNO 0x61} .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtQueryMultipleValueKey 77586108 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtQueryMultipleValueKey + 4 7758610C 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtQueryValueKey 77586248 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtQueryValueKey + 4 7758624C 2 Bytes [62, 5F] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtReadFile 775862B8 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtReadFile + 4 775862BC 2 Bytes [74, 5F] {JZ 0x61} .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtSetContextThread 77586568 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtSetContextThread + 4 7758656C 2 Bytes [80, 5F] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtSetInformationFile 77586638 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtSetInformationFile + 4 7758663C 2 Bytes [77, 5F] {JA 0x61} .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtSetValueKey 77586808 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtSetValueKey + 4 7758680C 2 Bytes [65, 5F] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtUnloadKey 77586968 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtUnloadKey + 4 7758696C 2 Bytes [68, 5F] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtWriteFile 77586A68 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtWriteFile + 4 77586A6C 2 Bytes [7A, 5F] {JP 0x61} .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtWriteVirtualMemory 77586A98 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] ntdll.dll!NtWriteVirtualMemory + 4 77586A9C 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Windows\Explorer.EXE[2120] kernel32.dll!CopyFileExW 7749B238 6 Bytes JMP 5F3D0F5A .text C:\Windows\Explorer.EXE[2120] kernel32.dll!CreateFileMappingW 774A120C 6 Bytes JMP 5F400F5A .text C:\Windows\Explorer.EXE[2120] kernel32.dll!TerminateProcess 774A2BBD 6 Bytes JMP 5F310F5A .text C:\Windows\Explorer.EXE[2120] kernel32.dll!MoveFileWithProgressW 774A8D8C 6 Bytes JMP 5F460F5A .text C:\Windows\Explorer.EXE[2120] kernel32.dll!MapViewOfFile 774A93DB 6 Bytes JMP 5F3A0F5A .text C:\Windows\Explorer.EXE[2120] kernel32.dll!CreateFileMappingA 774A9C0E 6 Bytes JMP 5F370F5A .text C:\Windows\Explorer.EXE[2120] kernel32.dll!MapViewOfFileEx 774AD7EC 6 Bytes JMP 5F340F5A .text C:\Windows\Explorer.EXE[2120] kernel32.dll!CreateRemoteThread 774EFAF3 6 Bytes JMP 5F430F5A .text C:\Windows\Explorer.EXE[2120] ADVAPI32.dll!StartServiceW 75B57974 6 Bytes JMP 5F280F5A .text C:\Windows\Explorer.EXE[2120] ADVAPI32.dll!OpenServiceW 75B5CA4C 6 Bytes JMP 5F220F5A .text C:\Windows\Explorer.EXE[2120] ADVAPI32.dll!OpenServiceA 75B62BF0 6 Bytes JMP 5F1F0F5A .text C:\Windows\Explorer.EXE[2120] ADVAPI32.dll!CloseServiceHandle 75B6369C 6 Bytes JMP 5F100F5A .text C:\Windows\Explorer.EXE[2120] ADVAPI32.dll!CreateServiceW 75B7712C 6 Bytes JMP 5F190F5A .text C:\Windows\Explorer.EXE[2120] ADVAPI32.dll!ControlService 75B77144 6 Bytes JMP 5F130F5A .text C:\Windows\Explorer.EXE[2120] ADVAPI32.dll!DeleteService 75B7715C 6 Bytes JMP 5F1C0F5A .text C:\Windows\Explorer.EXE[2120] ADVAPI32.dll!ChangeServiceConfig2A 75B930C8 6 Bytes JMP 5F0A0F5A .text C:\Windows\Explorer.EXE[2120] ADVAPI32.dll!ChangeServiceConfig2W 75B930D8 6 Bytes JMP 5F0D0F5A .text C:\Windows\Explorer.EXE[2120] ADVAPI32.dll!ChangeServiceConfigA 75B930E8 6 Bytes JMP 5F040F5A .text C:\Windows\Explorer.EXE[2120] ADVAPI32.dll!ChangeServiceConfigW 75B930F8 6 Bytes JMP 5F070F5A .text C:\Windows\Explorer.EXE[2120] ADVAPI32.dll!CreateServiceA 75B93158 6 Bytes JMP 5F160F5A .text C:\Windows\Explorer.EXE[2120] ADVAPI32.dll!StartServiceA 75B93543 6 Bytes JMP 5F250F5A .text C:\Windows\Explorer.EXE[2120] ADVAPI32.dll!LsaAddAccountRights 75B98819 6 Bytes JMP 5F2B0F5A .text C:\Windows\Explorer.EXE[2120] ADVAPI32.dll!LsaRemoveAccountRights 75B988B1 6 Bytes JMP 5F2E0F5A .text C:\Windows\Explorer.EXE[2120] USER32.dll!CreateAcceleratorTableW 77339794 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] USER32.dll!CreateAcceleratorTableW + 4 77339798 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\Windows\Explorer.EXE[2120] USER32.dll!GetAsyncKeyState 7733A256 6 Bytes JMP 5F970F5A .text C:\Windows\Explorer.EXE[2120] USER32.dll!BeginDeferWindowPos 7733A6A6 6 Bytes JMP 5F8E0F5A .text C:\Windows\Explorer.EXE[2120] USER32.dll!PostMessageA 7733B446 6 Bytes JMP 5FA90F5A .text C:\Windows\Explorer.EXE[2120] USER32.dll!SetWindowsHookExW 7733E30C 6 Bytes JMP 5FB20F5A .text C:\Windows\Explorer.EXE[2120] USER32.dll!SetWinEventHook 773424DC 6 Bytes JMP 5FAC0F5A .text C:\Windows\Explorer.EXE[2120] USER32.dll!GetKeyState 77342B4D 6 Bytes JMP 5FA00F5A .text C:\Windows\Explorer.EXE[2120] USER32.dll!DispatchMessageA 77342E32 6 Bytes JMP 5F910F5A .text C:\Windows\Explorer.EXE[2120] USER32.dll!PostMessageW 7734447B 6 Bytes JMP 5FA60F5A .text C:\Windows\Explorer.EXE[2120] USER32.dll!TranslateMessage 773464C7 6 Bytes JMP 5F940F5A .text C:\Windows\Explorer.EXE[2120] USER32.dll!DispatchMessageW 7734CC61 6 Bytes JMP 5FB50F5A .text C:\Windows\Explorer.EXE[2120] USER32.dll!SetClipboardData 77352962 6 Bytes JMP 5FB80F5A .text C:\Windows\Explorer.EXE[2120] USER32.dll!GetKeyboardState 77366946 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] USER32.dll!GetKeyboardState + 4 7736694A 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Windows\Explorer.EXE[2120] USER32.dll!AttachThreadInput 77366B54 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2120] USER32.dll!AttachThreadInput + 4 77366B58 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Windows\Explorer.EXE[2120] USER32.dll!SetWindowsHookExA 77366D0C 6 Bytes JMP 5F8B0F5A .text C:\Windows\Explorer.EXE[2120] USER32.dll!DdeConnect 7737EB5B 6 Bytes JMP 5FA30F5A .text C:\Windows\Explorer.EXE[2120] ole32.dll!CLSIDFromProgIDEx 77170782 6 Bytes JMP 5F850F5A .text C:\Windows\Explorer.EXE[2120] ole32.dll!CLSIDFromProgID 7718503C 6 Bytes JMP 5F880F5A .text C:\Windows\Explorer.EXE[2120] WS2_32.dll!sendto 772F34B5 6 Bytes JMP 5FC70F5A .text C:\Windows\Explorer.EXE[2120] WS2_32.dll!closesocket 772F3918 6 Bytes JMP 5FD90F5A .text C:\Windows\Explorer.EXE[2120] WS2_32.dll!WSASend 772F4406 6 Bytes JMP 5FD30F5A .text C:\Windows\Explorer.EXE[2120] WS2_32.dll!recv 772F6B0E 6 Bytes JMP 5FBE0F5A .text C:\Windows\Explorer.EXE[2120] WS2_32.dll!connect 772F6BDD 6 Bytes JMP 5FBB0F5A .text C:\Windows\Explorer.EXE[2120] WS2_32.dll!send 772F6F01 6 Bytes JMP 5FC40F5A .text C:\Windows\Explorer.EXE[2120] WS2_32.dll!WSARecv 772F7089 6 Bytes JMP 5FCD0F5A .text C:\Windows\Explorer.EXE[2120] WS2_32.dll!recvfrom 772FB6DC 6 Bytes JMP 5FC10F5A .text C:\Windows\Explorer.EXE[2120] WS2_32.dll!WSARecvFrom 772FCBA6 6 Bytes JMP 5FD00F5A .text C:\Windows\Explorer.EXE[2120] WS2_32.dll!WSAConnect 772FCC3F 6 Bytes JMP 5FCA0F5A .text C:\Windows\Explorer.EXE[2120] WS2_32.dll!WSASendTo 7730B30C 6 Bytes JMP 5FD60F5A .text C:\Windows\System32\ping.exe[2376] ntdll.dll!NtCreateProcess 77585698 5 Bytes JMP 003C000A .text C:\Windows\System32\ping.exe[2376] ntdll.dll!NtCreateProcessEx 775856A8 5 Bytes JMP 003D000A .text C:\Windows\System32\ping.exe[2376] ntdll.dll!NtCreateUserProcess 77585778 5 Bytes JMP 003E000A .text C:\Windows\System32\ping.exe[2376] ntdll.dll!NtProtectVirtualMemory 77585F18 5 Bytes JMP 0026000A .text C:\Windows\System32\ping.exe[2376] ntdll.dll!NtWriteVirtualMemory 77586A98 5 Bytes JMP 0027000A .text C:\Windows\System32\ping.exe[2376] ntdll.dll!KiUserExceptionDispatcher 77587008 5 Bytes JMP 0025000A .text C:\Windows\System32\ping.exe[2376] USER32.dll!GetCursorPos 7733A4B3 5 Bytes JMP 005E000A .text C:\Windows\System32\ping.exe[2376] USER32.dll!GetForegroundWindow 7734335D 5 Bytes JMP 0060000A .text C:\Windows\System32\ping.exe[2376] USER32.dll!WindowFromPoint 77366BE9 5 Bytes JMP 005F000A .text C:\Windows\System32\ping.exe[2376] ole32.dll!CoCreateInstance 771A9D0B 5 Bytes JMP 005D000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2544] WS2_32.dll!sendto 772F34B5 6 Bytes JMP 5F100F5A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2544] WS2_32.dll!closesocket 772F3918 6 Bytes JMP 5F220F5A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2544] WS2_32.dll!WSASend 772F4406 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2544] WS2_32.dll!recv 772F6B0E 6 Bytes JMP 5F070F5A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2544] WS2_32.dll!connect 772F6BDD 6 Bytes JMP 5F040F5A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2544] WS2_32.dll!send 772F6F01 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2544] WS2_32.dll!WSARecv 772F7089 6 Bytes JMP 5F160F5A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2544] WS2_32.dll!recvfrom 772FB6DC 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2544] WS2_32.dll!WSARecvFrom 772FCBA6 6 Bytes JMP 5F190F5A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2544] WS2_32.dll!WSAConnect 772FCC3F 6 Bytes JMP 5F130F5A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2544] WS2_32.dll!WSASendTo 7730B30C 6 Bytes JMP 5F1F0F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtClose 775854C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtClose + 4 775854CC 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtCreateFile 775855C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtCreateFile + 4 775855CC 2 Bytes [6B, 5F] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtCreateKey 77585608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtCreateKey + 4 7758560C 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtDeleteFile 77585808 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtDeleteFile + 4 7758580C 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtDeleteKey 77585818 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtDeleteKey + 4 7758581C 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtDeleteValueKey 77585848 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtDeleteValueKey + 4 7758584C 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtDuplicateObject 77585898 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtDuplicateObject + 4 7758589C 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtEnumerateKey 775858E8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtEnumerateKey + 4 775858EC 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtEnumerateValueKey 77585918 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtEnumerateValueKey + 4 7758591C 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtLoadDriver 77585B58 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtLoadDriver + 4 77585B5C 2 Bytes [83, 5F] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtOpenFile 77585CD8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtOpenFile + 4 77585CDC 2 Bytes [71, 5F] {JNO 0x61} .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtQueryMultipleValueKey 77586108 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtQueryMultipleValueKey + 4 7758610C 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtQueryValueKey 77586248 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtQueryValueKey + 4 7758624C 2 Bytes [62, 5F] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtReadFile 775862B8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtReadFile + 4 775862BC 2 Bytes [74, 5F] {JZ 0x61} .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtSetContextThread 77586568 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtSetContextThread + 4 7758656C 2 Bytes [80, 5F] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtSetInformationFile 77586638 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtSetInformationFile + 4 7758663C 2 Bytes [77, 5F] {JA 0x61} .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtSetValueKey 77586808 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtSetValueKey + 4 7758680C 2 Bytes [65, 5F] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtUnloadKey 77586968 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtUnloadKey + 4 7758696C 2 Bytes [68, 5F] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtWriteFile 77586A68 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtWriteFile + 4 77586A6C 2 Bytes [7A, 5F] {JP 0x61} .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtWriteVirtualMemory 77586A98 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] ntdll.dll!NtWriteVirtualMemory + 4 77586A9C 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Windows\system32\SearchIndexer.exe[2564] kernel32.dll!CopyFileExW 7749B238 6 Bytes JMP 5F3D0F5A .text C:\Windows\system32\SearchIndexer.exe[2564] kernel32.dll!CreateFileMappingW 774A120C 6 Bytes JMP 5F400F5A .text C:\Windows\system32\SearchIndexer.exe[2564] kernel32.dll!TerminateProcess 774A2BBD 6 Bytes JMP 5F310F5A .text C:\Windows\system32\SearchIndexer.exe[2564] kernel32.dll!MoveFileWithProgressW 774A8D8C 6 Bytes JMP 5F460F5A .text C:\Windows\system32\SearchIndexer.exe[2564] kernel32.dll!MapViewOfFile 774A93DB 6 Bytes JMP 5F3A0F5A .text C:\Windows\system32\SearchIndexer.exe[2564] kernel32.dll!CreateFileMappingA 774A9C0E 6 Bytes JMP 5F370F5A .text C:\Windows\system32\SearchIndexer.exe[2564] kernel32.dll!MapViewOfFileEx 774AD7EC 6 Bytes JMP 5F340F5A .text C:\Windows\system32\SearchIndexer.exe[2564] kernel32.dll!CreateRemoteThread 774EFAF3 6 Bytes JMP 5F430F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ADVAPI32.dll!StartServiceW 75B57974 6 Bytes JMP 5F280F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ADVAPI32.dll!OpenServiceW 75B5CA4C 6 Bytes JMP 5F220F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ADVAPI32.dll!OpenServiceA 75B62BF0 6 Bytes JMP 5F1F0F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ADVAPI32.dll!CloseServiceHandle 75B6369C 6 Bytes JMP 5F100F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ADVAPI32.dll!CreateServiceW 75B7712C 6 Bytes JMP 5F190F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ADVAPI32.dll!ControlService 75B77144 6 Bytes JMP 5F130F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ADVAPI32.dll!DeleteService 75B7715C 6 Bytes JMP 5F1C0F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ADVAPI32.dll!ChangeServiceConfig2A 75B930C8 6 Bytes JMP 5F0A0F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ADVAPI32.dll!ChangeServiceConfig2W 75B930D8 6 Bytes JMP 5F0D0F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ADVAPI32.dll!ChangeServiceConfigA 75B930E8 6 Bytes JMP 5F040F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ADVAPI32.dll!ChangeServiceConfigW 75B930F8 6 Bytes JMP 5F070F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ADVAPI32.dll!CreateServiceA 75B93158 6 Bytes JMP 5F160F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ADVAPI32.dll!StartServiceA 75B93543 6 Bytes JMP 5F250F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ADVAPI32.dll!LsaAddAccountRights 75B98819 6 Bytes JMP 5F2B0F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ADVAPI32.dll!LsaRemoveAccountRights 75B988B1 6 Bytes JMP 5F2E0F5A .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!CreateAcceleratorTableW 77339794 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!CreateAcceleratorTableW + 4 77339798 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!GetAsyncKeyState 7733A256 6 Bytes JMP 5F970F5A .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!BeginDeferWindowPos 7733A6A6 6 Bytes JMP 5F8E0F5A .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!PostMessageA 7733B446 6 Bytes JMP 5FA90F5A .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!SetWindowsHookExW 7733E30C 6 Bytes JMP 5FB20F5A .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!SetWinEventHook 773424DC 6 Bytes JMP 5FAC0F5A .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!GetKeyState 77342B4D 6 Bytes JMP 5FA00F5A .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!DispatchMessageA 77342E32 6 Bytes JMP 5F910F5A .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!PostMessageW 7734447B 6 Bytes JMP 5FA60F5A .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!TranslateMessage 773464C7 6 Bytes JMP 5F940F5A .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!DispatchMessageW 7734CC61 6 Bytes JMP 5FB50F5A .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!SetClipboardData 77352962 6 Bytes JMP 5FB80F5A .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!GetKeyboardState 77366946 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!GetKeyboardState + 4 7736694A 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!AttachThreadInput 77366B54 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!AttachThreadInput + 4 77366B58 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!SetWindowsHookExA 77366D0C 6 Bytes JMP 5F8B0F5A .text C:\Windows\system32\SearchIndexer.exe[2564] USER32.dll!DdeConnect 7737EB5B 6 Bytes JMP 5FA30F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ole32.dll!CLSIDFromProgIDEx 77170782 6 Bytes JMP 5F850F5A .text C:\Windows\system32\SearchIndexer.exe[2564] ole32.dll!CLSIDFromProgID 7718503C 6 Bytes JMP 5F880F5A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2752] WS2_32.dll!sendto 772F34B5 6 Bytes JMP 5F100F5A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2752] WS2_32.dll!closesocket 772F3918 6 Bytes JMP 5F220F5A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2752] WS2_32.dll!WSASend 772F4406 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2752] WS2_32.dll!recv 772F6B0E 6 Bytes JMP 5F070F5A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2752] WS2_32.dll!connect 772F6BDD 6 Bytes JMP 5F040F5A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2752] WS2_32.dll!send 772F6F01 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2752] WS2_32.dll!WSARecv 772F7089 6 Bytes JMP 5F160F5A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2752] WS2_32.dll!recvfrom 772FB6DC 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2752] WS2_32.dll!WSARecvFrom 772FCBA6 6 Bytes JMP 5F190F5A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2752] WS2_32.dll!WSAConnect 772FCC3F 6 Bytes JMP 5F130F5A .text C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe[2752] WS2_32.dll!WSASendTo 7730B30C 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtClose 775854C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtClose + 4 775854CC 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtCreateFile 775855C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtCreateFile + 4 775855CC 2 Bytes [6B, 5F] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtCreateKey 77585608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtCreateKey + 4 7758560C 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtDeleteFile 77585808 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtDeleteFile + 4 7758580C 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtDeleteKey 77585818 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtDeleteKey + 4 7758581C 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtDeleteValueKey 77585848 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtDeleteValueKey + 4 7758584C 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtDuplicateObject 77585898 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtDuplicateObject + 4 7758589C 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtEnumerateKey 775858E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtEnumerateKey + 4 775858EC 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtEnumerateValueKey 77585918 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtEnumerateValueKey + 4 7758591C 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtLoadDriver 77585B58 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtLoadDriver + 4 77585B5C 2 Bytes [83, 5F] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtOpenFile 77585CD8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtOpenFile + 4 77585CDC 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtQueryMultipleValueKey 77586108 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtQueryMultipleValueKey + 4 7758610C 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtQueryValueKey 77586248 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtQueryValueKey + 4 7758624C 2 Bytes [62, 5F] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtReadFile 775862B8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtReadFile + 4 775862BC 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtSetContextThread 77586568 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtSetContextThread + 4 7758656C 2 Bytes [80, 5F] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtSetInformationFile 77586638 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtSetInformationFile + 4 7758663C 2 Bytes [77, 5F] {JA 0x61} .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtSetValueKey 77586808 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtSetValueKey + 4 7758680C 2 Bytes [65, 5F] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtUnloadKey 77586968 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtUnloadKey + 4 7758696C 2 Bytes [68, 5F] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtWriteFile 77586A68 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtWriteFile + 4 77586A6C 2 Bytes [7A, 5F] {JP 0x61} .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtWriteVirtualMemory 77586A98 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ntdll.dll!NtWriteVirtualMemory + 4 77586A9C 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] kernel32.dll!CopyFileExW 7749B238 6 Bytes JMP 5F3D0F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] kernel32.dll!CreateFileMappingW 774A120C 6 Bytes JMP 5F400F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] kernel32.dll!TerminateProcess 774A2BBD 6 Bytes JMP 5F310F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] kernel32.dll!MoveFileWithProgressW 774A8D8C 6 Bytes JMP 5F460F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] kernel32.dll!MapViewOfFile 774A93DB 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] kernel32.dll!CreateFileMappingA 774A9C0E 6 Bytes JMP 5F370F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] kernel32.dll!MapViewOfFileEx 774AD7EC 6 Bytes JMP 5F340F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] kernel32.dll!CreateRemoteThread 774EFAF3 6 Bytes JMP 5F430F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ADVAPI32.dll!StartServiceW 75B57974 6 Bytes JMP 5F280F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ADVAPI32.dll!OpenServiceW 75B5CA4C 6 Bytes JMP 5F220F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ADVAPI32.dll!OpenServiceA 75B62BF0 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ADVAPI32.dll!CloseServiceHandle 75B6369C 6 Bytes JMP 5F100F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ADVAPI32.dll!CreateServiceW 75B7712C 6 Bytes JMP 5F190F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ADVAPI32.dll!ControlService 75B77144 6 Bytes JMP 5F130F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ADVAPI32.dll!DeleteService 75B7715C 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ADVAPI32.dll!ChangeServiceConfig2A 75B930C8 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ADVAPI32.dll!ChangeServiceConfig2W 75B930D8 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ADVAPI32.dll!ChangeServiceConfigA 75B930E8 6 Bytes JMP 5F040F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ADVAPI32.dll!ChangeServiceConfigW 75B930F8 6 Bytes JMP 5F070F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ADVAPI32.dll!CreateServiceA 75B93158 6 Bytes JMP 5F160F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ADVAPI32.dll!StartServiceA 75B93543 6 Bytes JMP 5F250F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ADVAPI32.dll!LsaAddAccountRights 75B98819 6 Bytes JMP 5F2B0F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ADVAPI32.dll!LsaRemoveAccountRights 75B988B1 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!CreateAcceleratorTableW 77339794 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!CreateAcceleratorTableW + 4 77339798 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!GetAsyncKeyState 7733A256 6 Bytes JMP 5F970F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!BeginDeferWindowPos 7733A6A6 6 Bytes JMP 5F8E0F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!PostMessageA 7733B446 6 Bytes JMP 5FA90F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!SetWindowsHookExW 7733E30C 6 Bytes JMP 5FB20F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!SetWinEventHook 773424DC 6 Bytes JMP 5FAC0F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!GetKeyState 77342B4D 6 Bytes JMP 5FA00F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!DispatchMessageA 77342E32 6 Bytes JMP 5F910F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!PostMessageW 7734447B 6 Bytes JMP 5FA60F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!TranslateMessage 773464C7 6 Bytes JMP 5F940F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!DispatchMessageW 7734CC61 6 Bytes JMP 5FB50F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!SetClipboardData 77352962 6 Bytes JMP 5FB80F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!GetKeyboardState 77366946 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!GetKeyboardState + 4 7736694A 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!AttachThreadInput 77366B54 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!AttachThreadInput + 4 77366B58 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!SetWindowsHookExA 77366D0C 6 Bytes JMP 5F8B0F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] USER32.dll!DdeConnect 7737EB5B 6 Bytes JMP 5FA30F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ole32.dll!CLSIDFromProgIDEx 77170782 6 Bytes JMP 5F850F5A .text C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe[2900] ole32.dll!CLSIDFromProgID 7718503C 6 Bytes JMP 5F880F5A .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtClose 775854C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtClose + 4 775854CC 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtCreateFile 775855C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtCreateFile + 4 775855CC 2 Bytes [6B, 5F] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtCreateKey 77585608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtCreateKey + 4 7758560C 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtDeleteFile 77585808 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtDeleteFile + 4 7758580C 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtDeleteKey 77585818 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtDeleteKey + 4 7758581C 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtDeleteValueKey 77585848 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtDeleteValueKey + 4 7758584C 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtDuplicateObject 77585898 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtDuplicateObject + 4 7758589C 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtEnumerateKey 775858E8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtEnumerateKey + 4 775858EC 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtEnumerateValueKey 77585918 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtEnumerateValueKey + 4 7758591C 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtLoadDriver 77585B58 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtLoadDriver + 4 77585B5C 2 Bytes [83, 5F] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtOpenFile 77585CD8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtOpenFile + 4 77585CDC 2 Bytes [71, 5F] {JNO 0x61} .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtQueryMultipleValueKey 77586108 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtQueryMultipleValueKey + 4 7758610C 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtQueryValueKey 77586248 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtQueryValueKey + 4 7758624C 2 Bytes [62, 5F] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtReadFile 775862B8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtReadFile + 4 775862BC 2 Bytes [74, 5F] {JZ 0x61} .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtSetContextThread 77586568 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtSetContextThread + 4 7758656C 2 Bytes [80, 5F] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtSetInformationFile 77586638 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtSetInformationFile + 4 7758663C 2 Bytes [77, 5F] {JA 0x61} .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtSetValueKey 77586808 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtSetValueKey + 4 7758680C 2 Bytes [65, 5F] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtUnloadKey 77586968 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtUnloadKey + 4 7758696C 2 Bytes [68, 5F] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtWriteFile 77586A68 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtWriteFile + 4 77586A6C 2 Bytes [7A, 5F] {JP 0x61} .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtWriteVirtualMemory 77586A98 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] ntdll.dll!NtWriteVirtualMemory + 4 77586A9C 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Windows\system32\Dwm.exe[3068] kernel32.dll!CopyFileExW 7749B238 6 Bytes JMP 5F3D0F5A .text C:\Windows\system32\Dwm.exe[3068] kernel32.dll!CreateFileMappingW 774A120C 6 Bytes JMP 5F400F5A .text C:\Windows\system32\Dwm.exe[3068] kernel32.dll!TerminateProcess 774A2BBD 6 Bytes JMP 5F310F5A .text C:\Windows\system32\Dwm.exe[3068] kernel32.dll!MoveFileWithProgressW 774A8D8C 6 Bytes JMP 5F460F5A .text C:\Windows\system32\Dwm.exe[3068] kernel32.dll!MapViewOfFile 774A93DB 6 Bytes JMP 5F3A0F5A .text C:\Windows\system32\Dwm.exe[3068] kernel32.dll!CreateFileMappingA 774A9C0E 6 Bytes JMP 5F370F5A .text C:\Windows\system32\Dwm.exe[3068] kernel32.dll!MapViewOfFileEx 774AD7EC 6 Bytes JMP 5F340F5A .text C:\Windows\system32\Dwm.exe[3068] kernel32.dll!CreateRemoteThread 774EFAF3 6 Bytes JMP 5F430F5A .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!CreateAcceleratorTableW 77339794 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!CreateAcceleratorTableW + 4 77339798 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!GetAsyncKeyState 7733A256 6 Bytes JMP 5F970F5A .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!BeginDeferWindowPos 7733A6A6 6 Bytes JMP 5F8E0F5A .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!PostMessageA 7733B446 6 Bytes JMP 5FA90F5A .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!SetWindowsHookExW 7733E30C 6 Bytes JMP 5FB20F5A .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!SetWinEventHook 773424DC 6 Bytes JMP 5FAC0F5A .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!GetKeyState 77342B4D 6 Bytes JMP 5FA00F5A .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!DispatchMessageA 77342E32 6 Bytes JMP 5F910F5A .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!PostMessageW 7734447B 6 Bytes JMP 5FA60F5A .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!TranslateMessage 773464C7 6 Bytes JMP 5F940F5A .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!DispatchMessageW 7734CC61 6 Bytes JMP 5FB50F5A .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!SetClipboardData 77352962 6 Bytes JMP 5FB80F5A .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!GetKeyboardState 77366946 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!GetKeyboardState + 4 7736694A 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!AttachThreadInput 77366B54 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!AttachThreadInput + 4 77366B58 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!SetWindowsHookExA 77366D0C 6 Bytes JMP 5F8B0F5A .text C:\Windows\system32\Dwm.exe[3068] USER32.dll!DdeConnect 7737EB5B 6 Bytes JMP 5FA30F5A .text C:\Windows\system32\Dwm.exe[3068] ADVAPI32.dll!StartServiceW 75B57974 6 Bytes JMP 5F280F5A .text C:\Windows\system32\Dwm.exe[3068] ADVAPI32.dll!OpenServiceW 75B5CA4C 6 Bytes JMP 5F220F5A .text C:\Windows\system32\Dwm.exe[3068] ADVAPI32.dll!OpenServiceA 75B62BF0 6 Bytes JMP 5F1F0F5A .text C:\Windows\system32\Dwm.exe[3068] ADVAPI32.dll!CloseServiceHandle 75B6369C 6 Bytes JMP 5F100F5A .text C:\Windows\system32\Dwm.exe[3068] ADVAPI32.dll!CreateServiceW 75B7712C 6 Bytes JMP 5F190F5A .text C:\Windows\system32\Dwm.exe[3068] ADVAPI32.dll!ControlService 75B77144 6 Bytes JMP 5F130F5A .text C:\Windows\system32\Dwm.exe[3068] ADVAPI32.dll!DeleteService 75B7715C 6 Bytes JMP 5F1C0F5A .text C:\Windows\system32\Dwm.exe[3068] ADVAPI32.dll!ChangeServiceConfig2A 75B930C8 6 Bytes JMP 5F0A0F5A .text C:\Windows\system32\Dwm.exe[3068] ADVAPI32.dll!ChangeServiceConfig2W 75B930D8 6 Bytes JMP 5F0D0F5A .text C:\Windows\system32\Dwm.exe[3068] ADVAPI32.dll!ChangeServiceConfigA 75B930E8 6 Bytes JMP 5F040F5A .text C:\Windows\system32\Dwm.exe[3068] ADVAPI32.dll!ChangeServiceConfigW 75B930F8 6 Bytes JMP 5F070F5A .text C:\Windows\system32\Dwm.exe[3068] ADVAPI32.dll!CreateServiceA 75B93158 6 Bytes JMP 5F160F5A .text C:\Windows\system32\Dwm.exe[3068] ADVAPI32.dll!StartServiceA 75B93543 6 Bytes JMP 5F250F5A .text C:\Windows\system32\Dwm.exe[3068] ADVAPI32.dll!LsaAddAccountRights 75B98819 6 Bytes JMP 5F2B0F5A .text C:\Windows\system32\Dwm.exe[3068] ADVAPI32.dll!LsaRemoveAccountRights 75B988B1 6 Bytes JMP 5F2E0F5A .text C:\Windows\system32\Dwm.exe[3068] ole32.dll!CLSIDFromProgIDEx 77170782 6 Bytes JMP 5F850F5A .text C:\Windows\system32\Dwm.exe[3068] ole32.dll!CLSIDFromProgID 7718503C 6 Bytes JMP 5F880F5A .text C:\Windows\system32\vmnetdhcp.exe[3136] WS2_32.dll!sendto 772F34B5 6 Bytes JMP 5F100F5A .text C:\Windows\system32\vmnetdhcp.exe[3136] WS2_32.dll!closesocket 772F3918 6 Bytes JMP 5F220F5A .text C:\Windows\system32\vmnetdhcp.exe[3136] WS2_32.dll!WSASend 772F4406 6 Bytes JMP 5F1C0F5A .text C:\Windows\system32\vmnetdhcp.exe[3136] WS2_32.dll!recv 772F6B0E 6 Bytes JMP 5F070F5A .text C:\Windows\system32\vmnetdhcp.exe[3136] WS2_32.dll!connect 772F6BDD 6 Bytes JMP 5F040F5A .text C:\Windows\system32\vmnetdhcp.exe[3136] WS2_32.dll!send 772F6F01 6 Bytes JMP 5F0D0F5A .text C:\Windows\system32\vmnetdhcp.exe[3136] WS2_32.dll!WSARecv 772F7089 6 Bytes JMP 5F160F5A .text C:\Windows\system32\vmnetdhcp.exe[3136] WS2_32.dll!recvfrom 772FB6DC 6 Bytes JMP 5F0A0F5A .text C:\Windows\system32\vmnetdhcp.exe[3136] WS2_32.dll!WSARecvFrom 772FCBA6 6 Bytes JMP 5F190F5A .text C:\Windows\system32\vmnetdhcp.exe[3136] WS2_32.dll!WSAConnect 772FCC3F 6 Bytes JMP 5F130F5A .text C:\Windows\system32\vmnetdhcp.exe[3136] WS2_32.dll!WSASendTo 7730B30C 6 Bytes JMP 5F1F0F5A .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtClose 775854C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtClose + 4 775854CC 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtCreateFile 775855C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtCreateFile + 4 775855CC 2 Bytes [6B, 5F] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtCreateKey 77585608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtCreateKey + 4 7758560C 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtDeleteFile 77585808 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtDeleteFile + 4 7758580C 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtDeleteKey 77585818 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtDeleteKey + 4 7758581C 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtDeleteValueKey 77585848 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtDeleteValueKey + 4 7758584C 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtDuplicateObject 77585898 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtDuplicateObject + 4 7758589C 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtEnumerateKey 775858E8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtEnumerateKey + 4 775858EC 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtEnumerateValueKey 77585918 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtEnumerateValueKey + 4 7758591C 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtLoadDriver 77585B58 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtLoadDriver + 4 77585B5C 2 Bytes [83, 5F] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtOpenFile 77585CD8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtOpenFile + 4 77585CDC 2 Bytes [71, 5F] {JNO 0x61} .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtQueryMultipleValueKey 77586108 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtQueryMultipleValueKey + 4 7758610C 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtQueryValueKey 77586248 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtQueryValueKey + 4 7758624C 2 Bytes [62, 5F] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtReadFile 775862B8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtReadFile + 4 775862BC 2 Bytes [74, 5F] {JZ 0x61} .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtSetContextThread 77586568 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtSetContextThread + 4 7758656C 2 Bytes [80, 5F] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtSetInformationFile 77586638 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtSetInformationFile + 4 7758663C 2 Bytes [77, 5F] {JA 0x61} .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtSetValueKey 77586808 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtSetValueKey + 4 7758680C 2 Bytes [65, 5F] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtUnloadKey 77586968 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtUnloadKey + 4 7758696C 2 Bytes [68, 5F] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtWriteFile 77586A68 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtWriteFile + 4 77586A6C 2 Bytes [7A, 5F] {JP 0x61} .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtWriteVirtualMemory 77586A98 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] ntdll.dll!NtWriteVirtualMemory + 4 77586A9C 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Windows\system32\taskhost.exe[3532] kernel32.dll!CopyFileExW 7749B238 6 Bytes JMP 5F3D0F5A .text C:\Windows\system32\taskhost.exe[3532] kernel32.dll!CreateFileMappingW 774A120C 6 Bytes JMP 5F400F5A .text C:\Windows\system32\taskhost.exe[3532] kernel32.dll!TerminateProcess 774A2BBD 6 Bytes JMP 5F310F5A .text C:\Windows\system32\taskhost.exe[3532] kernel32.dll!MoveFileWithProgressW 774A8D8C 6 Bytes JMP 5F460F5A .text C:\Windows\system32\taskhost.exe[3532] kernel32.dll!MapViewOfFile 774A93DB 6 Bytes JMP 5F3A0F5A .text C:\Windows\system32\taskhost.exe[3532] kernel32.dll!CreateFileMappingA 774A9C0E 6 Bytes JMP 5F370F5A .text C:\Windows\system32\taskhost.exe[3532] kernel32.dll!MapViewOfFileEx 774AD7EC 6 Bytes JMP 5F340F5A .text C:\Windows\system32\taskhost.exe[3532] kernel32.dll!CreateRemoteThread 774EFAF3 6 Bytes JMP 5F430F5A .text C:\Windows\system32\taskhost.exe[3532] ole32.dll!CLSIDFromProgIDEx 77170782 6 Bytes JMP 5F850F5A .text C:\Windows\system32\taskhost.exe[3532] ole32.dll!CLSIDFromProgID 7718503C 6 Bytes JMP 5F880F5A .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!CreateAcceleratorTableW 77339794 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!CreateAcceleratorTableW + 4 77339798 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!GetAsyncKeyState 7733A256 6 Bytes JMP 5F970F5A .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!BeginDeferWindowPos 7733A6A6 6 Bytes JMP 5F8E0F5A .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!PostMessageA 7733B446 6 Bytes JMP 5FA90F5A .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!SetWindowsHookExW 7733E30C 6 Bytes JMP 5FB20F5A .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!SetWinEventHook 773424DC 6 Bytes JMP 5FAC0F5A .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!GetKeyState 77342B4D 6 Bytes JMP 5FA00F5A .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!DispatchMessageA 77342E32 6 Bytes JMP 5F910F5A .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!PostMessageW 7734447B 6 Bytes JMP 5FA60F5A .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!TranslateMessage 773464C7 6 Bytes JMP 5F940F5A .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!DispatchMessageW 7734CC61 6 Bytes JMP 5FB50F5A .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!SetClipboardData 77352962 6 Bytes JMP 5FB80F5A .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!GetKeyboardState 77366946 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!GetKeyboardState + 4 7736694A 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!AttachThreadInput 77366B54 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!AttachThreadInput + 4 77366B58 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!SetWindowsHookExA 77366D0C 6 Bytes JMP 5F8B0F5A .text C:\Windows\system32\taskhost.exe[3532] USER32.dll!DdeConnect 7737EB5B 6 Bytes JMP 5FA30F5A .text C:\Windows\system32\taskhost.exe[3532] ADVAPI32.dll!StartServiceW 75B57974 6 Bytes JMP 5F280F5A .text C:\Windows\system32\taskhost.exe[3532] ADVAPI32.dll!OpenServiceW 75B5CA4C 6 Bytes JMP 5F220F5A .text C:\Windows\system32\taskhost.exe[3532] ADVAPI32.dll!OpenServiceA 75B62BF0 6 Bytes JMP 5F1F0F5A .text C:\Windows\system32\taskhost.exe[3532] ADVAPI32.dll!CloseServiceHandle 75B6369C 6 Bytes JMP 5F100F5A .text C:\Windows\system32\taskhost.exe[3532] ADVAPI32.dll!CreateServiceW 75B7712C 6 Bytes JMP 5F190F5A .text C:\Windows\system32\taskhost.exe[3532] ADVAPI32.dll!ControlService 75B77144 6 Bytes JMP 5F130F5A .text C:\Windows\system32\taskhost.exe[3532] ADVAPI32.dll!DeleteService 75B7715C 6 Bytes JMP 5F1C0F5A .text C:\Windows\system32\taskhost.exe[3532] ADVAPI32.dll!ChangeServiceConfig2A 75B930C8 6 Bytes JMP 5F0A0F5A .text C:\Windows\system32\taskhost.exe[3532] ADVAPI32.dll!ChangeServiceConfig2W 75B930D8 6 Bytes JMP 5F0D0F5A .text C:\Windows\system32\taskhost.exe[3532] ADVAPI32.dll!ChangeServiceConfigA 75B930E8 6 Bytes JMP 5F040F5A .text C:\Windows\system32\taskhost.exe[3532] ADVAPI32.dll!ChangeServiceConfigW 75B930F8 6 Bytes JMP 5F070F5A .text C:\Windows\system32\taskhost.exe[3532] ADVAPI32.dll!CreateServiceA 75B93158 6 Bytes JMP 5F160F5A .text C:\Windows\system32\taskhost.exe[3532] ADVAPI32.dll!StartServiceA 75B93543 6 Bytes JMP 5F250F5A .text C:\Windows\system32\taskhost.exe[3532] ADVAPI32.dll!LsaAddAccountRights 75B98819 6 Bytes JMP 5F2B0F5A .text C:\Windows\system32\taskhost.exe[3532] ADVAPI32.dll!LsaRemoveAccountRights 75B988B1 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtClose 775854C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtClose + 4 775854CC 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtCreateFile 775855C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtCreateFile + 4 775855CC 2 Bytes [6B, 5F] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtCreateKey 77585608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtCreateKey + 4 7758560C 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtDeleteFile 77585808 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtDeleteFile + 4 7758580C 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtDeleteKey 77585818 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtDeleteKey + 4 7758581C 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtDeleteValueKey 77585848 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtDeleteValueKey + 4 7758584C 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtDuplicateObject 77585898 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtDuplicateObject + 4 7758589C 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtEnumerateKey 775858E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtEnumerateKey + 4 775858EC 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtEnumerateValueKey 77585918 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtEnumerateValueKey + 4 7758591C 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtLoadDriver 77585B58 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtLoadDriver + 4 77585B5C 2 Bytes [83, 5F] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtOpenFile 77585CD8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtOpenFile + 4 77585CDC 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtQueryMultipleValueKey 77586108 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtQueryMultipleValueKey + 4 7758610C 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtQueryValueKey 77586248 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtQueryValueKey + 4 7758624C 2 Bytes [62, 5F] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtReadFile 775862B8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtReadFile + 4 775862BC 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtSetContextThread 77586568 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtSetContextThread + 4 7758656C 2 Bytes [80, 5F] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtSetInformationFile 77586638 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtSetInformationFile + 4 7758663C 2 Bytes [77, 5F] {JA 0x61} .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtSetValueKey 77586808 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtSetValueKey + 4 7758680C 2 Bytes [65, 5F] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtUnloadKey 77586968 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtUnloadKey + 4 7758696C 2 Bytes [68, 5F] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtWriteFile 77586A68 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtWriteFile + 4 77586A6C 2 Bytes [7A, 5F] {JP 0x61} .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtWriteVirtualMemory 77586A98 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] ntdll.dll!NtWriteVirtualMemory + 4 77586A9C 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\Opera\Opera.exe[3740] kernel32.dll!CopyFileExW 7749B238 6 Bytes JMP 5F3D0F5A .text C:\Program Files\Opera\Opera.exe[3740] kernel32.dll!CreateFileMappingW 774A120C 6 Bytes JMP 5F400F5A .text C:\Program Files\Opera\Opera.exe[3740] kernel32.dll!TerminateProcess 774A2BBD 6 Bytes JMP 5F310F5A .text C:\Program Files\Opera\Opera.exe[3740] kernel32.dll!MoveFileWithProgressW 774A8D8C 6 Bytes JMP 5F460F5A .text C:\Program Files\Opera\Opera.exe[3740] kernel32.dll!MapViewOfFile 774A93DB 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Opera\Opera.exe[3740] kernel32.dll!CreateFileMappingA 774A9C0E 6 Bytes JMP 5F370F5A .text C:\Program Files\Opera\Opera.exe[3740] kernel32.dll!MapViewOfFileEx 774AD7EC 6 Bytes JMP 5F340F5A .text C:\Program Files\Opera\Opera.exe[3740] kernel32.dll!CreateRemoteThread 774EFAF3 6 Bytes JMP 5F430F5A .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!CreateAcceleratorTableW 77339794 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!CreateAcceleratorTableW + 4 77339798 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!GetAsyncKeyState 7733A256 6 Bytes JMP 5F970F5A .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!BeginDeferWindowPos 7733A6A6 6 Bytes JMP 5F8E0F5A .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!PostMessageA 7733B446 6 Bytes JMP 5FA90F5A .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!SetWindowsHookExW 7733E30C 6 Bytes JMP 5FB20F5A .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!SetWinEventHook 773424DC 6 Bytes JMP 5FAC0F5A .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!GetKeyState 77342B4D 6 Bytes JMP 5FA00F5A .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!DispatchMessageA 77342E32 6 Bytes JMP 5F910F5A .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!PostMessageW 7734447B 6 Bytes JMP 5FA60F5A .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!TranslateMessage 773464C7 6 Bytes JMP 5F940F5A .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!DispatchMessageW 7734CC61 6 Bytes JMP 5FB50F5A .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!SetClipboardData 77352962 6 Bytes JMP 5FB80F5A .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!GetKeyboardState 77366946 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!GetKeyboardState + 4 7736694A 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!AttachThreadInput 77366B54 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!AttachThreadInput + 4 77366B58 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!SetWindowsHookExA 77366D0C 6 Bytes JMP 5F8B0F5A .text C:\Program Files\Opera\Opera.exe[3740] USER32.dll!DdeConnect 7737EB5B 6 Bytes JMP 5FA30F5A .text C:\Program Files\Opera\Opera.exe[3740] ADVAPI32.dll!StartServiceW 75B57974 6 Bytes JMP 5F280F5A .text C:\Program Files\Opera\Opera.exe[3740] ADVAPI32.dll!OpenServiceW 75B5CA4C 6 Bytes JMP 5F220F5A .text C:\Program Files\Opera\Opera.exe[3740] ADVAPI32.dll!OpenServiceA 75B62BF0 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Opera\Opera.exe[3740] ADVAPI32.dll!CloseServiceHandle 75B6369C 6 Bytes JMP 5F100F5A .text C:\Program Files\Opera\Opera.exe[3740] ADVAPI32.dll!CreateServiceW 75B7712C 6 Bytes JMP 5F190F5A .text C:\Program Files\Opera\Opera.exe[3740] ADVAPI32.dll!ControlService 75B77144 6 Bytes JMP 5F130F5A .text C:\Program Files\Opera\Opera.exe[3740] ADVAPI32.dll!DeleteService 75B7715C 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Opera\Opera.exe[3740] ADVAPI32.dll!ChangeServiceConfig2A 75B930C8 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Opera\Opera.exe[3740] ADVAPI32.dll!ChangeServiceConfig2W 75B930D8 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Opera\Opera.exe[3740] ADVAPI32.dll!ChangeServiceConfigA 75B930E8 6 Bytes JMP 5F040F5A .text C:\Program Files\Opera\Opera.exe[3740] ADVAPI32.dll!ChangeServiceConfigW 75B930F8 6 Bytes JMP 5F070F5A .text C:\Program Files\Opera\Opera.exe[3740] ADVAPI32.dll!CreateServiceA 75B93158 6 Bytes JMP 5F160F5A .text C:\Program Files\Opera\Opera.exe[3740] ADVAPI32.dll!StartServiceA 75B93543 6 Bytes JMP 5F250F5A .text C:\Program Files\Opera\Opera.exe[3740] ADVAPI32.dll!LsaAddAccountRights 75B98819 6 Bytes JMP 5F2B0F5A .text C:\Program Files\Opera\Opera.exe[3740] ADVAPI32.dll!LsaRemoveAccountRights 75B988B1 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Opera\Opera.exe[3740] ole32.dll!CLSIDFromProgIDEx 77170782 6 Bytes JMP 5F850F5A .text C:\Program Files\Opera\Opera.exe[3740] ole32.dll!CLSIDFromProgID 7718503C 6 Bytes JMP 5F880F5A .text C:\Program Files\Opera\Opera.exe[3740] WS2_32.dll!sendto 772F34B5 6 Bytes JMP 5FC70F5A .text C:\Program Files\Opera\Opera.exe[3740] WS2_32.dll!closesocket 772F3918 6 Bytes JMP 5FD90F5A .text C:\Program Files\Opera\Opera.exe[3740] WS2_32.dll!WSASend 772F4406 6 Bytes JMP 5FD30F5A .text C:\Program Files\Opera\Opera.exe[3740] WS2_32.dll!recv 772F6B0E 6 Bytes JMP 5FBE0F5A .text C:\Program Files\Opera\Opera.exe[3740] WS2_32.dll!connect 772F6BDD 6 Bytes JMP 5FBB0F5A .text C:\Program Files\Opera\Opera.exe[3740] WS2_32.dll!send 772F6F01 6 Bytes JMP 5FC40F5A .text C:\Program Files\Opera\Opera.exe[3740] WS2_32.dll!WSARecv 772F7089 6 Bytes JMP 5FCD0F5A .text C:\Program Files\Opera\Opera.exe[3740] WS2_32.dll!recvfrom 772FB6DC 6 Bytes JMP 5FC10F5A .text C:\Program Files\Opera\Opera.exe[3740] WS2_32.dll!WSARecvFrom 772FCBA6 6 Bytes JMP 5FD00F5A .text C:\Program Files\Opera\Opera.exe[3740] WS2_32.dll!WSAConnect 772FCC3F 6 Bytes JMP 5FCA0F5A .text C:\Program Files\Opera\Opera.exe[3740] WS2_32.dll!WSASendTo 7730B30C 6 Bytes JMP 5FD60F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtClose 775854C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtClose + 4 775854CC 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtCreateFile 775855C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtCreateFile + 4 775855CC 2 Bytes [6B, 5F] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtCreateKey 77585608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtCreateKey + 4 7758560C 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtDeleteFile 77585808 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtDeleteFile + 4 7758580C 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtDeleteKey 77585818 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtDeleteKey + 4 7758581C 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtDeleteValueKey 77585848 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtDeleteValueKey + 4 7758584C 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtDuplicateObject 77585898 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtDuplicateObject + 4 7758589C 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtEnumerateKey 775858E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtEnumerateKey + 4 775858EC 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtEnumerateValueKey 77585918 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtEnumerateValueKey + 4 7758591C 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtLoadDriver 77585B58 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtLoadDriver + 4 77585B5C 2 Bytes [83, 5F] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtOpenFile 77585CD8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtOpenFile + 4 77585CDC 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtQueryMultipleValueKey 77586108 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtQueryMultipleValueKey + 4 7758610C 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtQueryValueKey 77586248 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtQueryValueKey + 4 7758624C 2 Bytes [62, 5F] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtReadFile 775862B8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtReadFile + 4 775862BC 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtSetContextThread 77586568 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtSetContextThread + 4 7758656C 2 Bytes [80, 5F] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtSetInformationFile 77586638 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtSetInformationFile + 4 7758663C 2 Bytes [77, 5F] {JA 0x61} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtSetValueKey 77586808 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtSetValueKey + 4 7758680C 2 Bytes [65, 5F] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtUnloadKey 77586968 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtUnloadKey + 4 7758696C 2 Bytes [68, 5F] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtWriteFile 77586A68 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtWriteFile + 4 77586A6C 2 Bytes [7A, 5F] {JP 0x61} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtWriteVirtualMemory 77586A98 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ntdll.dll!NtWriteVirtualMemory + 4 77586A9C 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] kernel32.dll!CopyFileExW 7749B238 6 Bytes JMP 5F3D0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] kernel32.dll!CreateFileMappingW 774A120C 6 Bytes JMP 5F400F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] kernel32.dll!TerminateProcess 774A2BBD 6 Bytes JMP 5F310F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] kernel32.dll!MoveFileWithProgressW 774A8D8C 6 Bytes JMP 5F460F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] kernel32.dll!MapViewOfFile 774A93DB 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] kernel32.dll!CreateFileMappingA 774A9C0E 6 Bytes JMP 5F370F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] kernel32.dll!MapViewOfFileEx 774AD7EC 6 Bytes JMP 5F340F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] kernel32.dll!CreateRemoteThread 774EFAF3 6 Bytes JMP 5F430F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ADVAPI32.dll!StartServiceW 75B57974 6 Bytes JMP 5F280F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ADVAPI32.dll!OpenServiceW 75B5CA4C 6 Bytes JMP 5F220F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ADVAPI32.dll!OpenServiceA 75B62BF0 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ADVAPI32.dll!CloseServiceHandle 75B6369C 6 Bytes JMP 5F100F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ADVAPI32.dll!CreateServiceW 75B7712C 6 Bytes JMP 5F190F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ADVAPI32.dll!ControlService 75B77144 6 Bytes JMP 5F130F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ADVAPI32.dll!DeleteService 75B7715C 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ADVAPI32.dll!ChangeServiceConfig2A 75B930C8 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ADVAPI32.dll!ChangeServiceConfig2W 75B930D8 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ADVAPI32.dll!ChangeServiceConfigA 75B930E8 6 Bytes JMP 5F040F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ADVAPI32.dll!ChangeServiceConfigW 75B930F8 6 Bytes JMP 5F070F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ADVAPI32.dll!CreateServiceA 75B93158 6 Bytes JMP 5F160F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ADVAPI32.dll!StartServiceA 75B93543 6 Bytes JMP 5F250F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ADVAPI32.dll!LsaAddAccountRights 75B98819 6 Bytes JMP 5F2B0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ADVAPI32.dll!LsaRemoveAccountRights 75B988B1 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!CreateAcceleratorTableW 77339794 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!CreateAcceleratorTableW + 4 77339798 2 Bytes [B6, 5F] {MOV DH, 0x5f} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!GetAsyncKeyState 7733A256 6 Bytes JMP 5F9D0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!BeginDeferWindowPos 7733A6A6 6 Bytes JMP 5F940F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!PostMessageA 7733B446 6 Bytes JMP 5FAF0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!SetWindowsHookExW 7733E30C 6 Bytes JMP 5FB80F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!SetWinEventHook 773424DC 6 Bytes JMP 5FB20F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!GetKeyState 77342B4D 6 Bytes JMP 5FA60F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!DispatchMessageA 77342E32 6 Bytes JMP 5F970F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!PostMessageW 7734447B 6 Bytes JMP 5FAC0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!TranslateMessage 773464C7 6 Bytes JMP 5F9A0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!DispatchMessageW 7734CC61 6 Bytes JMP 5FBB0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!SetClipboardData 77352962 6 Bytes JMP 5FBE0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!GetKeyboardState 77366946 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!GetKeyboardState + 4 7736694A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!AttachThreadInput 77366B54 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!AttachThreadInput + 4 77366B58 2 Bytes [A1, 5F] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!SetWindowsHookExA 77366D0C 6 Bytes JMP 5F910F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] USER32.dll!DdeConnect 7737EB5B 6 Bytes JMP 5FA90F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ole32.dll!CLSIDFromProgIDEx 77170782 6 Bytes JMP 5F850F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ole32.dll!CLSIDFromProgID 7718503C 6 Bytes JMP 5F880F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ole32.dll!CoGetClassObject 771954AD 6 Bytes JMP 5F8B0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] ole32.dll!CoCreateInstanceEx 771A9D4E 6 Bytes JMP 5F8E0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] WS2_32.dll!sendto 772F34B5 6 Bytes JMP 5FCD0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] WS2_32.dll!closesocket 772F3918 6 Bytes JMP 5FDF0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] WS2_32.dll!WSASend 772F4406 6 Bytes JMP 5FD90F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] WS2_32.dll!recv 772F6B0E 6 Bytes JMP 5FC40F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] WS2_32.dll!connect 772F6BDD 6 Bytes JMP 5FC10F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] WS2_32.dll!send 772F6F01 6 Bytes JMP 5FCA0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] WS2_32.dll!WSARecv 772F7089 6 Bytes JMP 5FD30F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] WS2_32.dll!recvfrom 772FB6DC 6 Bytes JMP 5FC70F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] WS2_32.dll!WSARecvFrom 772FCBA6 6 Bytes JMP 5FD60F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] WS2_32.dll!WSAConnect 772FCC3F 6 Bytes JMP 5FD00F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3924] WS2_32.dll!WSASendTo 7730B30C 6 Bytes JMP 5FDC0F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtClose 775854C8 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtClose + 4 775854CC 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtCreateFile 775855C8 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtCreateFile + 4 775855CC 2 Bytes [6B, 5F] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtCreateKey 77585608 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtCreateKey + 4 7758560C 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtDeleteFile 77585808 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtDeleteFile + 4 7758580C 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtDeleteKey 77585818 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtDeleteKey + 4 7758581C 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtDeleteValueKey 77585848 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtDeleteValueKey + 4 7758584C 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtDuplicateObject 77585898 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtDuplicateObject + 4 7758589C 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtEnumerateKey 775858E8 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtEnumerateKey + 4 775858EC 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtEnumerateValueKey 77585918 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtEnumerateValueKey + 4 7758591C 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtLoadDriver 77585B58 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtLoadDriver + 4 77585B5C 2 Bytes [83, 5F] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtOpenFile 77585CD8 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtOpenFile + 4 77585CDC 2 Bytes [71, 5F] {JNO 0x61} .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtQueryMultipleValueKey 77586108 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtQueryMultipleValueKey + 4 7758610C 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtQueryValueKey 77586248 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtQueryValueKey + 4 7758624C 2 Bytes [62, 5F] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtReadFile 775862B8 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtReadFile + 4 775862BC 2 Bytes [74, 5F] {JZ 0x61} .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtSetContextThread 77586568 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtSetContextThread + 4 7758656C 2 Bytes [80, 5F] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtSetInformationFile 77586638 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtSetInformationFile + 4 7758663C 2 Bytes [77, 5F] {JA 0x61} .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtSetValueKey 77586808 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtSetValueKey + 4 7758680C 2 Bytes [65, 5F] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtUnloadKey 77586968 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtUnloadKey + 4 7758696C 2 Bytes [68, 5F] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtWriteFile 77586A68 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtWriteFile + 4 77586A6C 2 Bytes [7A, 5F] {JP 0x61} .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtWriteVirtualMemory 77586A98 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ntdll.dll!NtWriteVirtualMemory + 4 77586A9C 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] kernel32.dll!CopyFileExW 7749B238 6 Bytes JMP 5F3D0F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] kernel32.dll!CreateFileMappingW 774A120C 6 Bytes JMP 5F400F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] kernel32.dll!TerminateProcess 774A2BBD 6 Bytes JMP 5F310F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] kernel32.dll!MoveFileWithProgressW 774A8D8C 6 Bytes JMP 5F460F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] kernel32.dll!MapViewOfFile 774A93DB 6 Bytes JMP 5F3A0F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] kernel32.dll!CreateFileMappingA 774A9C0E 6 Bytes JMP 5F370F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] kernel32.dll!MapViewOfFileEx 774AD7EC 6 Bytes JMP 5F340F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] kernel32.dll!CreateRemoteThread 774EFAF3 6 Bytes JMP 5F430F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!CreateAcceleratorTableW 77339794 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!CreateAcceleratorTableW + 4 77339798 2 Bytes [B6, 5F] {MOV DH, 0x5f} .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!GetAsyncKeyState 7733A256 6 Bytes JMP 5F9D0F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!BeginDeferWindowPos 7733A6A6 6 Bytes JMP 5F940F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!PostMessageA 7733B446 6 Bytes JMP 5FAF0F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!SetWindowsHookExW 7733E30C 6 Bytes JMP 5FB80F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!SetWinEventHook 773424DC 6 Bytes JMP 5FB20F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!GetKeyState 77342B4D 6 Bytes JMP 5FA60F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!DispatchMessageA 77342E32 6 Bytes JMP 5F970F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!PostMessageW 7734447B 6 Bytes JMP 5FAC0F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!TranslateMessage 773464C7 6 Bytes JMP 5F9A0F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!DispatchMessageW 7734CC61 6 Bytes JMP 5FBB0F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!SetClipboardData 77352962 6 Bytes JMP 5FBE0F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!GetKeyboardState 77366946 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!GetKeyboardState + 4 7736694A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!AttachThreadInput 77366B54 3 Bytes [FF, 25, 1E] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!AttachThreadInput + 4 77366B58 2 Bytes [A1, 5F] .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!SetWindowsHookExA 77366D0C 6 Bytes JMP 5F910F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] USER32.dll!DdeConnect 7737EB5B 6 Bytes JMP 5FA90F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ADVAPI32.dll!StartServiceW 75B57974 6 Bytes JMP 5F280F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ADVAPI32.dll!OpenServiceW 75B5CA4C 6 Bytes JMP 5F220F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ADVAPI32.dll!OpenServiceA 75B62BF0 6 Bytes JMP 5F1F0F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ADVAPI32.dll!CloseServiceHandle 75B6369C 6 Bytes JMP 5F100F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ADVAPI32.dll!CreateServiceW 75B7712C 6 Bytes JMP 5F190F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ADVAPI32.dll!ControlService 75B77144 6 Bytes JMP 5F130F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ADVAPI32.dll!DeleteService 75B7715C 6 Bytes JMP 5F1C0F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ADVAPI32.dll!ChangeServiceConfig2A 75B930C8 6 Bytes JMP 5F0A0F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ADVAPI32.dll!ChangeServiceConfig2W 75B930D8 6 Bytes JMP 5F0D0F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ADVAPI32.dll!ChangeServiceConfigA 75B930E8 6 Bytes JMP 5F040F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ADVAPI32.dll!ChangeServiceConfigW 75B930F8 6 Bytes JMP 5F070F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ADVAPI32.dll!CreateServiceA 75B93158 6 Bytes JMP 5F160F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ADVAPI32.dll!StartServiceA 75B93543 6 Bytes JMP 5F250F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ADVAPI32.dll!LsaAddAccountRights 75B98819 6 Bytes JMP 5F2B0F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ADVAPI32.dll!LsaRemoveAccountRights 75B988B1 6 Bytes JMP 5F2E0F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ole32.dll!CLSIDFromProgIDEx 77170782 6 Bytes JMP 5F850F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ole32.dll!CLSIDFromProgID 7718503C 6 Bytes JMP 5F880F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ole32.dll!CoGetClassObject 771954AD 6 Bytes JMP 5F8B0F5A .text C:\Users\remik\Desktop\hfip3ntm.exe[4604] ole32.dll!CoCreateInstanceEx 771A9D4E 6 Bytes JMP 5F8E0F5A .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtClose 775854C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtClose + 4 775854CC 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtCreateFile 775855C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtCreateFile + 4 775855CC 2 Bytes [6B, 5F] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtCreateKey 77585608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtCreateKey + 4 7758560C 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtDeleteFile 77585808 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtDeleteFile + 4 7758580C 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtDeleteKey 77585818 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtDeleteKey + 4 7758581C 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtDeleteValueKey 77585848 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtDeleteValueKey + 4 7758584C 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtDuplicateObject 77585898 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtDuplicateObject + 4 7758589C 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtEnumerateKey 775858E8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtEnumerateKey + 4 775858EC 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtEnumerateValueKey 77585918 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtEnumerateValueKey + 4 7758591C 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtLoadDriver 77585B58 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtLoadDriver + 4 77585B5C 2 Bytes [83, 5F] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtOpenFile 77585CD8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtOpenFile + 4 77585CDC 2 Bytes [71, 5F] {JNO 0x61} .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtQueryMultipleValueKey 77586108 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtQueryMultipleValueKey + 4 7758610C 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtQueryValueKey 77586248 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtQueryValueKey + 4 7758624C 2 Bytes [62, 5F] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtReadFile 775862B8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtReadFile + 4 775862BC 2 Bytes [74, 5F] {JZ 0x61} .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtSetContextThread 77586568 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtSetContextThread + 4 7758656C 2 Bytes [80, 5F] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtSetInformationFile 77586638 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtSetInformationFile + 4 7758663C 2 Bytes [77, 5F] {JA 0x61} .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtSetValueKey 77586808 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtSetValueKey + 4 7758680C 2 Bytes [65, 5F] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtUnloadKey 77586968 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtUnloadKey + 4 7758696C 2 Bytes [68, 5F] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtWriteFile 77586A68 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtWriteFile + 4 77586A6C 2 Bytes [7A, 5F] {JP 0x61} .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtWriteVirtualMemory 77586A98 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] ntdll.dll!NtWriteVirtualMemory + 4 77586A9C 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Windows\system32\conhost.exe[5624] kernel32.dll!CopyFileExW 7749B238 6 Bytes JMP 5F3D0F5A .text C:\Windows\system32\conhost.exe[5624] kernel32.dll!CreateFileMappingW 774A120C 6 Bytes JMP 5F400F5A .text C:\Windows\system32\conhost.exe[5624] kernel32.dll!TerminateProcess 774A2BBD 6 Bytes JMP 5F310F5A .text C:\Windows\system32\conhost.exe[5624] kernel32.dll!MoveFileWithProgressW 774A8D8C 6 Bytes JMP 5F460F5A .text C:\Windows\system32\conhost.exe[5624] kernel32.dll!MapViewOfFile 774A93DB 6 Bytes JMP 5F3A0F5A .text C:\Windows\system32\conhost.exe[5624] kernel32.dll!CreateFileMappingA 774A9C0E 6 Bytes JMP 5F370F5A .text C:\Windows\system32\conhost.exe[5624] kernel32.dll!MapViewOfFileEx 774AD7EC 6 Bytes JMP 5F340F5A .text C:\Windows\system32\conhost.exe[5624] kernel32.dll!CreateRemoteThread 774EFAF3 6 Bytes JMP 5F430F5A .text C:\Windows\system32\conhost.exe[5624] USER32.dll!CreateAcceleratorTableW 77339794 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] USER32.dll!CreateAcceleratorTableW + 4 77339798 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\Windows\system32\conhost.exe[5624] USER32.dll!GetAsyncKeyState 7733A256 6 Bytes JMP 5F970F5A .text C:\Windows\system32\conhost.exe[5624] USER32.dll!BeginDeferWindowPos 7733A6A6 6 Bytes JMP 5F8E0F5A .text C:\Windows\system32\conhost.exe[5624] USER32.dll!PostMessageA 7733B446 6 Bytes JMP 5FA90F5A .text C:\Windows\system32\conhost.exe[5624] USER32.dll!SetWindowsHookExW 7733E30C 6 Bytes JMP 5FB20F5A .text C:\Windows\system32\conhost.exe[5624] USER32.dll!SetWinEventHook 773424DC 6 Bytes JMP 5FAC0F5A .text C:\Windows\system32\conhost.exe[5624] USER32.dll!GetKeyState 77342B4D 6 Bytes JMP 5FA00F5A .text C:\Windows\system32\conhost.exe[5624] USER32.dll!DispatchMessageA 77342E32 6 Bytes JMP 5F910F5A .text C:\Windows\system32\conhost.exe[5624] USER32.dll!PostMessageW 7734447B 6 Bytes JMP 5FA60F5A .text C:\Windows\system32\conhost.exe[5624] USER32.dll!TranslateMessage 773464C7 6 Bytes JMP 5F940F5A .text C:\Windows\system32\conhost.exe[5624] USER32.dll!DispatchMessageW 7734CC61 6 Bytes JMP 5FB50F5A .text C:\Windows\system32\conhost.exe[5624] USER32.dll!SetClipboardData 77352962 6 Bytes JMP 5FB80F5A .text C:\Windows\system32\conhost.exe[5624] USER32.dll!GetKeyboardState 77366946 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] USER32.dll!GetKeyboardState + 4 7736694A 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Windows\system32\conhost.exe[5624] USER32.dll!AttachThreadInput 77366B54 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\conhost.exe[5624] USER32.dll!AttachThreadInput + 4 77366B58 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Windows\system32\conhost.exe[5624] USER32.dll!SetWindowsHookExA 77366D0C 6 Bytes JMP 5F8B0F5A .text C:\Windows\system32\conhost.exe[5624] USER32.dll!DdeConnect 7737EB5B 6 Bytes JMP 5FA30F5A .text C:\Windows\system32\conhost.exe[5624] ole32.dll!CLSIDFromProgIDEx 77170782 6 Bytes JMP 5F850F5A .text C:\Windows\system32\conhost.exe[5624] ole32.dll!CLSIDFromProgID 7718503C 6 Bytes JMP 5F880F5A .text C:\Windows\system32\conhost.exe[5624] ADVAPI32.dll!StartServiceW 75B57974 6 Bytes JMP 5F280F5A .text C:\Windows\system32\conhost.exe[5624] ADVAPI32.dll!OpenServiceW 75B5CA4C 6 Bytes JMP 5F220F5A .text C:\Windows\system32\conhost.exe[5624] ADVAPI32.dll!OpenServiceA 75B62BF0 6 Bytes JMP 5F1F0F5A .text C:\Windows\system32\conhost.exe[5624] ADVAPI32.dll!CloseServiceHandle 75B6369C 6 Bytes JMP 5F100F5A .text C:\Windows\system32\conhost.exe[5624] ADVAPI32.dll!CreateServiceW 75B7712C 6 Bytes JMP 5F190F5A .text C:\Windows\system32\conhost.exe[5624] ADVAPI32.dll!ControlService 75B77144 6 Bytes JMP 5F130F5A .text C:\Windows\system32\conhost.exe[5624] ADVAPI32.dll!DeleteService 75B7715C 6 Bytes JMP 5F1C0F5A .text C:\Windows\system32\conhost.exe[5624] ADVAPI32.dll!ChangeServiceConfig2A 75B930C8 6 Bytes JMP 5F0A0F5A .text C:\Windows\system32\conhost.exe[5624] ADVAPI32.dll!ChangeServiceConfig2W 75B930D8 6 Bytes JMP 5F0D0F5A .text C:\Windows\system32\conhost.exe[5624] ADVAPI32.dll!ChangeServiceConfigA 75B930E8 6 Bytes JMP 5F040F5A .text C:\Windows\system32\conhost.exe[5624] ADVAPI32.dll!ChangeServiceConfigW 75B930F8 6 Bytes JMP 5F070F5A .text C:\Windows\system32\conhost.exe[5624] ADVAPI32.dll!CreateServiceA 75B93158 6 Bytes JMP 5F160F5A .text C:\Windows\system32\conhost.exe[5624] ADVAPI32.dll!StartServiceA 75B93543 6 Bytes JMP 5F250F5A .text C:\Windows\system32\conhost.exe[5624] ADVAPI32.dll!LsaAddAccountRights 75B98819 6 Bytes JMP 5F2B0F5A .text C:\Windows\system32\conhost.exe[5624] ADVAPI32.dll!LsaRemoveAccountRights 75B988B1 6 Bytes JMP 5F2E0F5A ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [83E03042] \SystemRoot\System32\Drivers\spfi.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [83E036D6] \SystemRoot\System32\Drivers\spfi.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [83E03800] \SystemRoot\System32\Drivers\spfi.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [83E0313E] \SystemRoot\System32\Drivers\spfi.sys IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortNotification] [00147880] \Windows\System32\autochk.exe (Auto Check Utility/Microsoft Corporation) IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75 IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015 IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortStallExecution] C25DC033 IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008 IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08 IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24 IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8 IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800 IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000 IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008 IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55 IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500 IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortInitialize] 157B805E IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500 IAT \SystemRoot\System32\Drivers\anr5dktv.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[2120] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74442437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2120] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74425600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2120] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [744256BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2120] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [744424B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2120] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74438514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2120] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74434CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2120] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7443506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2120] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74435144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2120] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74436671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2120] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7443826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2120] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [744387BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2120] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7443901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2120] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7443E1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2120] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74434BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device ShlDrv51.sys (PandaShield driver/Panda Security, S.L.) Device 8559E1F8 Device Ntfs.sys (Sterownik systemu plików NT/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 VMkbd.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 VMkbd.sys Device \Driver\volmgr \Device\VolMgrControl 8559A1F8 Device \Driver\usbohci \Device\USBPDO-0 8695B1F8 Device \Driver\usbohci \Device\USBPDO-0 hcmon.sys Device \Driver\usbohci \Device\USBPDO-1 8695B1F8 Device \Driver\usbohci \Device\USBPDO-1 hcmon.sys Device \Driver\usbohci \Device\USBPDO-2 8695B1F8 Device \Driver\usbohci \Device\USBPDO-2 hcmon.sys Device \Driver\usbohci \Device\USBPDO-3 8695B1F8 Device \Driver\usbohci \Device\USBPDO-3 hcmon.sys Device \Driver\usbohci \Device\USBPDO-4 8695B1F8 Device \Driver\usbohci \Device\USBPDO-4 hcmon.sys Device \Driver\usbehci \Device\USBPDO-5 869561F8 Device \Driver\usbehci \Device\USBPDO-5 hcmon.sys Device \Driver\usbhub \Device\USBPDO-6 hcmon.sys Device \Driver\volmgr \Device\HarddiskVolume1 8559A1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\usbhub \Device\USBPDO-7 hcmon.sys Device \Driver\volmgr \Device\HarddiskVolume2 8559A1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBT_Tcpip_{67685E5E-1359-4205-B611-45CEC0EC059C} 869111F8 Device \Driver\cdrom \Device\CdRom0 8661B1F8 Device \Driver\sptd \Device\2502773678 spfi.sys Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8559C1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-3 8559C1F8 Device \Driver\atapi \Device\Ide\IdePort0 8559C1F8 Device \Driver\atapi \Device\Ide\IdePort1 8559C1F8 Device \Driver\atapi \Device\Ide\IdePort2 8559C1F8 Device \Driver\atapi \Device\Ide\IdePort3 8559C1F8 Device \Driver\cdrom \Device\CdRom1 8661B1F8 Device \Driver\volmgr \Device\HarddiskVolume3 8559A1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume4 8559A1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume5 8559A1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\PCI_PNP7675 \Device\00000076 spfi.sys Device \Driver\NetBT \Device\NetBt_Wins_Export 869111F8 Device \Driver\usbhub \Device\00000088 hcmon.sys Device \Driver\usbhub \Device\00000089 hcmon.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{87D5BACF-B6D0-483C-B3DB-0F9455DDAD41} 869111F8 Device \Driver\ACPI_HAL \Device\0000006b halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\usbohci \Device\USBFDO-0 8695B1F8 Device \Driver\usbohci \Device\USBFDO-0 hcmon.sys Device \Driver\usbohci \Device\USBFDO-1 8695B1F8 Device \Driver\usbohci \Device\USBFDO-1 hcmon.sys Device \Driver\usbohci \Device\USBFDO-2 8695B1F8 Device \Driver\usbohci \Device\USBFDO-2 hcmon.sys Device \Driver\usbohci \Device\USBFDO-3 8695B1F8 Device \Driver\usbohci \Device\USBFDO-3 hcmon.sys Device \Driver\usbohci \Device\USBFDO-4 8695B1F8 Device \Driver\usbohci \Device\USBFDO-4 hcmon.sys Device \Driver\usbehci \Device\USBFDO-5 869561F8 Device \Driver\usbehci \Device\USBFDO-5 hcmon.sys Device \Driver\usbhub \Device\0000008a hcmon.sys Device \Driver\usbhub \Device\0000008b hcmon.sys Device \Driver\usbhub \Device\0000008c hcmon.sys Device \Driver\anr5dktv \Device\Scsi\anr5dktv1 86DCB500 Device \Driver\anr5dktv \Device\Scsi\anr5dktv1Port4Path0Target0Lun0 86DCB500 Device \Driver\usbhub \Device\0000008d hcmon.sys ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) 8965C000-89675000 (102400 bytes) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x62 0x83 0x30 0x48 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCB 0xEB 0x88 0x70 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x20 0xD4 0xA4 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x62 0x83 0x30 0x48 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCB 0xEB 0x88 0x70 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC9 0x35 0x01 0x20 ... ---- Files - GMER 1.0.15 ---- File C:\Windows\$NtUninstallKB27523$\222586567 0 bytes File C:\Windows\$NtUninstallKB27523$\222586567\@ 2048 bytes File C:\Windows\$NtUninstallKB27523$\222586567\bckfg.tmp 803 bytes File C:\Windows\$NtUninstallKB27523$\222586567\cfg.ini 207 bytes File C:\Windows\$NtUninstallKB27523$\222586567\Desktop.ini 4608 bytes File C:\Windows\$NtUninstallKB27523$\222586567\keywords 198 bytes File C:\Windows\$NtUninstallKB27523$\222586567\kwrd.dll 223744 bytes File C:\Windows\$NtUninstallKB27523$\222586567\L 0 bytes File C:\Windows\$NtUninstallKB27523$\222586567\L\xadqgnnk 108544 bytes File C:\Windows\$NtUninstallKB27523$\222586567\lsflt7.ver 5176 bytes File C:\Windows\$NtUninstallKB27523$\222586567\U 0 bytes File C:\Windows\$NtUninstallKB27523$\222586567\U\00000001.@ 1536 bytes File C:\Windows\$NtUninstallKB27523$\222586567\U\00000002.@ 224768 bytes File C:\Windows\$NtUninstallKB27523$\222586567\U\00000004.@ 1024 bytes File C:\Windows\$NtUninstallKB27523$\222586567\U\80000000.@ 1024 bytes File C:\Windows\$NtUninstallKB27523$\222586567\U\80000004.@ 12800 bytes File C:\Windows\$NtUninstallKB27523$\222586567\U\80000032.@ 98304 bytes File C:\Windows\$NtUninstallKB27523$\3102072711 0 bytes File C:\Windows\System32\sys_drv.dat 7028 bytes File C:\Windows\System32\sys_drv_2.dat 6024 bytes File C:\Windows\System32\WinFLdrv.sys 10752 bytes executable <-- ROOTKIT !!! File C:\Users\remik\AppData\Roaming\systemfl.$dk 990 bytes ---- Services - GMER 1.0.15 ---- Service C:\Windows\system32\WinFLdrv.sys [AUTO] WinFLdrv <-- ROOTKIT !!! ---- EOF - GMER 1.0.15 ----