GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-08-30 12:31:35 Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD40 rev.06.0 Running: gmer.exe; Driver: C:\DOCUME~1\HANS~1.AAL\LOCALS~1\Temp\pwryrpod.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys (Panda Protection driver/Panda Security, S.L.) ZwTerminateProcess [0xB24084E8] SSDT \??\C:\WINDOWS\system32\PavSRK.sys ZwWriteVirtualMemory [0xB220BC30] INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B3C0816D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B3C07FC2 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2F9C 80503D70 4 Bytes CALL B3027DF9 ? ZR@G\A@J@ The system cannot find the path specified. ! ? C:\WINDOWS\system32\PavTPK.sys The system cannot find the file specified. ! ? system32\drivers\xpsec.sys The system cannot find the path specified. ! ? system32\drivers\xcpip.sys The system cannot find the path specified. ! .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB25C8400, 0x7960C, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB266A420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB266A420] .protect˙˙˙˙hardlockunknown last code section [0xB266A200, 0x5049, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB266A200, 0x5049, 0xE0000020] ? C:\WINDOWS\system32\PavSRK.sys The system cannot find the file specified. ! ? system32\drivers\av5flt.sys The system cannot find the path specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [44, 5F] {INC ESP; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [65, 5F] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [47, 5F] {INC EDI; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [68, 5F] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [6B, 5F] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [7A, 5F] {JP 0x61} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [62, 5F] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [77, 5F] {JA 0x61} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] kernel32.dll!CreateFileMappingW 7C8093AA 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] kernel32.dll!MapViewOfFileEx 7C80B8A6 6 Bytes JMP 5F340F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] kernel32.dll!CreateRemoteThread 7C81043C 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] kernel32.dll!CreateRemoteThread + 4 7C810440 2 Bytes [3E, 5F] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] kernel32.dll!MoveFileWithProgressW 7C81F73E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] kernel32.dll!MoveFileWithProgressW + 4 7C81F742 2 Bytes [41, 5F] {INC ECX; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] kernel32.dll!CopyFileExW 7C827B42 6 Bytes JMP 5F370F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FB50F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5F940F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5FA60F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5F910F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5FA00F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!PostMessageA 7E41CB85 6 Bytes JMP 5FA90F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!BeginDeferWindowPos 7E41D907 6 Bytes JMP 5F8E0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!GetKeyboardState 7E41EF29 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!GetKeyboardState + 4 7E41EF2D 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F970F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!CreateAcceleratorTableW 7E42D3C1 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!CreateAcceleratorTableW + 4 7E42D3C5 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5FB20F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!SetClipboardData 7E430F5E 6 Bytes JMP 5FB80F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F8B0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5FAC0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!AttachThreadInput 7E431E12 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!AttachThreadInput + 4 7E431E16 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5FA30F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ADVAPI32.dll!CloseServiceHandle 77DE5BED 6 Bytes JMP 5F100F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ADVAPI32.dll!OpenServiceW 77DE5F05 6 Bytes JMP 5F220F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ADVAPI32.dll!ControlService 77DEE055 6 Bytes JMP 5F130F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ADVAPI32.dll!OpenServiceA 77DEE2AE 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ADVAPI32.dll!StartServiceW 77DEE5A4 6 Bytes JMP 5F280F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ADVAPI32.dll!StartServiceA 77DF25D8 4 Bytes JMP 26001E25 .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ADVAPI32.dll!StartServiceA + 5 77DF25DD 1 Byte [5F] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ADVAPI32.dll!LsaAddAccountRights 77E1AA01 6 Bytes JMP 5F2B0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ADVAPI32.dll!LsaRemoveAccountRights 77E1AAA1 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ADVAPI32.dll!ChangeServiceConfigA 77E36D11 6 Bytes JMP 5F040F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ADVAPI32.dll!ChangeServiceConfigW 77E36EA9 6 Bytes JMP 5F070F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ADVAPI32.dll!ChangeServiceConfig2A 77E36FA9 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ADVAPI32.dll!ChangeServiceConfig2W 77E37031 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F160F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F190F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ADVAPI32.dll!DeleteService 77E37359 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ole32.dll!CoCreateInstanceEx 774FFA6B 6 Bytes JMP 5F880F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ole32.dll!CoGetClassObject 77515DB2 6 Bytes JMP 5F850F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ole32.dll!CLSIDFromProgID 775242CC 6 Bytes JMP 5F820F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe[136] ole32.dll!CLSIDFromProgIDEx 775561FE 6 Bytes JMP 5F7F0F5A .text C:\Program Files\Panda Security\Panda Internet Security 2010\PsCtrls.exe[228] WS2_32.dll!send 71AB428A 5 Bytes JMP 01F49C7F .text C:\Program Files\Panda Security\Panda Internet Security 2010\PsCtrls.exe[228] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 01F49F94 .text C:\Program Files\Panda Security\Panda Internet Security 2010\PsCtrls.exe[228] WS2_32.dll!recv 71AB615A 5 Bytes JMP 01F49D60 .text C:\Program Files\Panda Security\Panda Internet Security 2010\PsCtrls.exe[228] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 01F49E33 .text C:\Program Files\Panda Security\Panda Internet Security 2010\PsCtrls.exe[228] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 01F4A0E2 .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [44, 5F] {INC ESP; POP EDI} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [65, 5F] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [47, 5F] {INC EDI; POP EDI} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [68, 5F] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [6B, 5F] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [7A, 5F] {JP 0x61} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [62, 5F] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [77, 5F] {JA 0x61} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] kernel32.dll!CreateFileMappingW 7C8093AA 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] kernel32.dll!MapViewOfFileEx 7C80B8A6 6 Bytes JMP 5F340F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] kernel32.dll!CreateRemoteThread 7C81043C 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] kernel32.dll!CreateRemoteThread + 4 7C810440 2 Bytes [3E, 5F] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] kernel32.dll!MoveFileWithProgressW 7C81F73E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] kernel32.dll!MoveFileWithProgressW + 4 7C81F742 2 Bytes [41, 5F] {INC ECX; POP EDI} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] kernel32.dll!CopyFileExW 7C827B42 6 Bytes JMP 5F370F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ADVAPI32.dll!CloseServiceHandle 77DE5BED 6 Bytes JMP 5F100F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ADVAPI32.dll!OpenServiceW 77DE5F05 6 Bytes JMP 5F220F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ADVAPI32.dll!ControlService 77DEE055 6 Bytes JMP 5F130F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ADVAPI32.dll!OpenServiceA 77DEE2AE 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ADVAPI32.dll!StartServiceW 77DEE5A4 6 Bytes JMP 5F280F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ADVAPI32.dll!StartServiceA 77DF25D8 4 Bytes JMP 26001E25 .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ADVAPI32.dll!StartServiceA + 5 77DF25DD 1 Byte [5F] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ADVAPI32.dll!LsaAddAccountRights 77E1AA01 6 Bytes JMP 5F2B0F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ADVAPI32.dll!LsaRemoveAccountRights 77E1AAA1 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ADVAPI32.dll!ChangeServiceConfigA 77E36D11 6 Bytes JMP 5F040F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ADVAPI32.dll!ChangeServiceConfigW 77E36EA9 6 Bytes JMP 5F070F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ADVAPI32.dll!ChangeServiceConfig2A 77E36FA9 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ADVAPI32.dll!ChangeServiceConfig2W 77E37031 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F160F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F190F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ADVAPI32.dll!DeleteService 77E37359 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FB50F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5F940F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5FA60F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5F910F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5FA00F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!PostMessageA 7E41CB85 6 Bytes JMP 5FA90F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!BeginDeferWindowPos 7E41D907 6 Bytes JMP 5F8E0F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!GetKeyboardState 7E41EF29 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!GetKeyboardState + 4 7E41EF2D 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F970F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!CreateAcceleratorTableW 7E42D3C1 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!CreateAcceleratorTableW + 4 7E42D3C5 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5FB20F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!SetClipboardData 7E430F5E 6 Bytes JMP 5FB80F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F8B0F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5FAC0F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!AttachThreadInput 7E431E12 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!AttachThreadInput + 4 7E431E16 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5FA30F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ole32.dll!CoCreateInstanceEx 774FFA6B 6 Bytes JMP 5F880F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ole32.dll!CoGetClassObject 77515DB2 6 Bytes JMP 5F850F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ole32.dll!CLSIDFromProgID 775242CC 6 Bytes JMP 5F820F5A .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[264] ole32.dll!CLSIDFromProgIDEx 775561FE 6 Bytes JMP 5F7F0F5A .text C:\Program Files\Panda Security\Panda Internet Security 2010\PsImSvc.exe[276] WS2_32.dll!send 71AB428A 5 Bytes JMP 01979C7F .text C:\Program Files\Panda Security\Panda Internet Security 2010\PsImSvc.exe[276] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 01979F94 .text C:\Program Files\Panda Security\Panda Internet Security 2010\PsImSvc.exe[276] WS2_32.dll!recv 71AB615A 5 Bytes JMP 01979D60 .text C:\Program Files\Panda Security\Panda Internet Security 2010\PsImSvc.exe[276] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 01979E33 .text C:\Program Files\Panda Security\Panda Internet Security 2010\PsImSvc.exe[276] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 0197A0E2 .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [44, 5F] {INC ESP; POP EDI} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [65, 5F] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [47, 5F] {INC EDI; POP EDI} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [68, 5F] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [6B, 5F] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [7A, 5F] {JP 0x61} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [62, 5F] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [77, 5F] {JA 0x61} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] kernel32.dll!CreateFileMappingW 7C8093AA 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] kernel32.dll!MapViewOfFileEx 7C80B8A6 6 Bytes JMP 5F340F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] kernel32.dll!CreateRemoteThread 7C81043C 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] kernel32.dll!CreateRemoteThread + 4 7C810440 2 Bytes [3E, 5F] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] kernel32.dll!MoveFileWithProgressW 7C81F73E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] kernel32.dll!MoveFileWithProgressW + 4 7C81F742 2 Bytes [41, 5F] {INC ECX; POP EDI} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] kernel32.dll!CopyFileExW 7C827B42 6 Bytes JMP 5F370F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ole32.dll!CoCreateInstanceEx 774FFA6B 6 Bytes JMP 5F880F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ole32.dll!CoGetClassObject 77515DB2 6 Bytes JMP 5F850F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ole32.dll!CLSIDFromProgID 775242CC 6 Bytes JMP 5F820F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ole32.dll!CLSIDFromProgIDEx 775561FE 6 Bytes JMP 5F7F0F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ADVAPI32.dll!CloseServiceHandle 77DE5BED 6 Bytes JMP 5F100F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ADVAPI32.dll!OpenServiceW 77DE5F05 6 Bytes JMP 5F220F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ADVAPI32.dll!ControlService 77DEE055 6 Bytes JMP 5F130F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ADVAPI32.dll!OpenServiceA 77DEE2AE 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ADVAPI32.dll!StartServiceW 77DEE5A4 6 Bytes JMP 5F280F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ADVAPI32.dll!StartServiceA 77DF25D8 4 Bytes JMP 26001E25 .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ADVAPI32.dll!StartServiceA + 5 77DF25DD 1 Byte [5F] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ADVAPI32.dll!LsaAddAccountRights 77E1AA01 6 Bytes JMP 5F2B0F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ADVAPI32.dll!LsaRemoveAccountRights 77E1AAA1 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ADVAPI32.dll!ChangeServiceConfigA 77E36D11 6 Bytes JMP 5F040F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ADVAPI32.dll!ChangeServiceConfigW 77E36EA9 6 Bytes JMP 5F070F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ADVAPI32.dll!ChangeServiceConfig2A 77E36FA9 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ADVAPI32.dll!ChangeServiceConfig2W 77E37031 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F160F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F190F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] ADVAPI32.dll!DeleteService 77E37359 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FB50F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5F940F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5FA60F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5F910F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5FA00F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!PostMessageA 7E41CB85 6 Bytes JMP 5FA90F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!BeginDeferWindowPos 7E41D907 6 Bytes JMP 5F8E0F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!GetKeyboardState 7E41EF29 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!GetKeyboardState + 4 7E41EF2D 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F970F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!CreateAcceleratorTableW 7E42D3C1 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!CreateAcceleratorTableW + 4 7E42D3C5 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5FB20F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!SetClipboardData 7E430F5E 6 Bytes JMP 5FB80F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F8B0F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5FAC0F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!AttachThreadInput 7E431E12 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!AttachThreadInput + 4 7E431E16 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5FA30F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] WS2_32.dll!sendto 71AB2C69 6 Bytes JMP 5FC10F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] WS2_32.dll!recvfrom 71AB2D0F 6 Bytes JMP 5FBE0F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5FBB0F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] WS2_32.dll!send 71AB428A 5 Bytes JMP 01419C7F .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 01419F94 .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] WS2_32.dll!recv 71AB615A 5 Bytes JMP 01419D60 .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 01419E33 .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 0141A0E2 .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] WS2_32.dll!WSARecvFrom 71ABF652 6 Bytes JMP 5FC70F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] WS2_32.dll!WSASendTo 71AC0A95 6 Bytes JMP 5FCA0F5A .text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[600] WS2_32.dll!WSAConnect 71AC0C69 6 Bytes JMP 5FC40F5A .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [65, 5F] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 5F] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [68, 5F] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [89, 5F] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [6B, 5F] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [71, 5F] {JNO 0x61} .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [77, 5F] {JA 0x61} .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [8C, 5F] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [7A, 5F] {JP 0x61} .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [8F, 5F] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [80, 5F] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [83, 5F] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!CreateFileMappingW 7C8093AA 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!MapViewOfFileEx 7C80B8A6 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!CreateRemoteThread 7C81043C 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!CreateRemoteThread + 4 7C810440 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!MoveFileWithProgressW 7C81F73E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!MoveFileWithProgressW + 4 7C81F742 2 Bytes [62, 5F] .text C:\WINDOWS\system32\svchost.exe[620] kernel32.dll!CopyFileExW 7C827B42 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!CloseServiceHandle 77DE5BED 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!OpenServiceW 77DE5F05 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!ControlService 77DEE055 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!OpenServiceA 77DEE2AE 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!StartServiceW 77DEE5A4 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!StartServiceA 77DF25D8 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!LsaAddAccountRights 77E1AA01 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!LsaRemoveAccountRights 77E1AAA1 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!ChangeServiceConfigA 77E36D11 6 Bytes JMP 5F250F5A .text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!ChangeServiceConfigW 77E36EA9 6 Bytes JMP 5F280F5A .text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!ChangeServiceConfig2A 77E36FA9 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!ChangeServiceConfig2W 77E37031 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\svchost.exe[620] ADVAPI32.dll!DeleteService 77E37359 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FD60F5A .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5FB50F5A .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5FC70F5A .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5FB20F5A .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5FC10F5A .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!PostMessageA 7E41CB85 6 Bytes JMP 5FCA0F5A .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!BeginDeferWindowPos 7E41D907 6 Bytes JMP 5FAF0F5A .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!GetKeyboardState 7E41EF29 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!GetKeyboardState + 4 7E41EF2D 2 Bytes [BF, 5F] .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5FB80F5A .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!CreateAcceleratorTableW 7E42D3C1 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!CreateAcceleratorTableW + 4 7E42D3C5 2 Bytes [D1, 5F] .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5FD30F5A .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!SetClipboardData 7E430F5E 6 Bytes JMP 5FD90F5A .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5FAC0F5A .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5FCD0F5A .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!AttachThreadInput 7E431E12 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!AttachThreadInput + 4 7E431E16 2 Bytes [BC, 5F] .text C:\WINDOWS\system32\svchost.exe[620] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5FC40F5A .text C:\WINDOWS\system32\svchost.exe[620] ole32.dll!CoCreateInstanceEx 774FFA6B 6 Bytes JMP 5FA90F5A .text C:\WINDOWS\system32\svchost.exe[620] ole32.dll!CoGetClassObject 77515DB2 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\svchost.exe[620] ole32.dll!CLSIDFromProgID 775242CC 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\system32\svchost.exe[620] ole32.dll!CLSIDFromProgIDEx 775561FE 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\svchost.exe[620] WS2_32.dll!sendto 71AB2C69 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\svchost.exe[620] WS2_32.dll!recvfrom 71AB2D0F 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[620] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[620] WS2_32.dll!send 71AB428A 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\svchost.exe[620] WS2_32.dll!WSARecv 71AB4318 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\svchost.exe[620] WS2_32.dll!recv 71AB615A 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[620] WS2_32.dll!WSASend 71AB6233 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\svchost.exe[620] WS2_32.dll!closesocket 71AB9639 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\svchost.exe[620] WS2_32.dll!WSARecvFrom 71ABF652 6 Bytes JMP 5F190F5A .text C:\WINDOWS\system32\svchost.exe[620] WS2_32.dll!WSASendTo 71AC0A95 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\svchost.exe[620] WS2_32.dll!WSAConnect 71AC0C69 6 Bytes JMP 5F130F5A .text c:\program files\panda security\panda internet security 2010\firewall\PSHOST.EXE[708] WS2_32.dll!send 71AB428A 5 Bytes JMP 022F9C7F .text c:\program files\panda security\panda internet security 2010\firewall\PSHOST.EXE[708] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 022F9F94 .text c:\program files\panda security\panda internet security 2010\firewall\PSHOST.EXE[708] WS2_32.dll!recv 71AB615A 5 Bytes JMP 022F9D60 .text c:\program files\panda security\panda internet security 2010\firewall\PSHOST.EXE[708] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 022F9E33 .text c:\program files\panda security\panda internet security 2010\firewall\PSHOST.EXE[708] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 022FA0E2 .text C:\Program Files\Panda Security\Panda Internet Security 2010\SRVLOAD.EXE[752] WS2_32.dll!send 71AB428A 5 Bytes JMP 01179C7F .text C:\Program Files\Panda Security\Panda Internet Security 2010\SRVLOAD.EXE[752] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 01179F94 .text C:\Program Files\Panda Security\Panda Internet Security 2010\SRVLOAD.EXE[752] WS2_32.dll!recv 71AB615A 5 Bytes JMP 01179D60 .text C:\Program Files\Panda Security\Panda Internet Security 2010\SRVLOAD.EXE[752] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 01179E33 .text C:\Program Files\Panda Security\Panda Internet Security 2010\SRVLOAD.EXE[752] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 0117A0E2 .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [65, 5F] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 5F] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [68, 5F] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [89, 5F] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [6B, 5F] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [71, 5F] {JNO 0x61} .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [77, 5F] {JA 0x61} .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [8C, 5F] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [7A, 5F] {JP 0x61} .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [8F, 5F] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [80, 5F] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [83, 5F] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateFileMappingW 7C8093AA 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!MapViewOfFileEx 7C80B8A6 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateRemoteThread 7C81043C 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateRemoteThread + 4 7C810440 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!MoveFileWithProgressW 7C81F73E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!MoveFileWithProgressW + 4 7C81F742 2 Bytes [62, 5F] .text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CopyFileExW 7C827B42 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!CloseServiceHandle 77DE5BED 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!OpenServiceW 77DE5F05 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!ControlService 77DEE055 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!OpenServiceA 77DEE2AE 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!StartServiceW 77DEE5A4 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!StartServiceA 77DF25D8 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!LsaAddAccountRights 77E1AA01 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!LsaRemoveAccountRights 77E1AAA1 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfigA 77E36D11 6 Bytes JMP 5F250F5A .text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfigW 77E36EA9 6 Bytes JMP 5F280F5A .text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfig2A 77E36FA9 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfig2W 77E37031 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!DeleteService 77E37359 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FD60F5A .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5FB50F5A .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5FC70F5A .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5FB20F5A .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5FC10F5A .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!PostMessageA 7E41CB85 6 Bytes JMP 5FCA0F5A .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!BeginDeferWindowPos 7E41D907 6 Bytes JMP 5FAF0F5A .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!GetKeyboardState 7E41EF29 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!GetKeyboardState + 4 7E41EF2D 2 Bytes [BF, 5F] .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5FB80F5A .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!CreateAcceleratorTableW 7E42D3C1 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!CreateAcceleratorTableW + 4 7E42D3C5 2 Bytes [D1, 5F] .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5FD30F5A .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!SetClipboardData 7E430F5E 6 Bytes JMP 5FD90F5A .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5FAC0F5A .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5FCD0F5A .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!AttachThreadInput 7E431E12 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!AttachThreadInput + 4 7E431E16 2 Bytes [BC, 5F] .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5FC40F5A .text C:\WINDOWS\system32\svchost.exe[848] ole32.dll!CoCreateInstanceEx 774FFA6B 6 Bytes JMP 5FA90F5A .text C:\WINDOWS\system32\svchost.exe[848] ole32.dll!CoGetClassObject 77515DB2 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\svchost.exe[848] ole32.dll!CLSIDFromProgID 775242CC 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\system32\svchost.exe[848] ole32.dll!CLSIDFromProgIDEx 775561FE 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\svchost.exe[848] WS2_32.dll!sendto 71AB2C69 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\svchost.exe[848] WS2_32.dll!recvfrom 71AB2D0F 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[848] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[848] WS2_32.dll!send 71AB428A 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\svchost.exe[848] WS2_32.dll!WSARecv 71AB4318 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\svchost.exe[848] WS2_32.dll!recv 71AB615A 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[848] WS2_32.dll!WSASend 71AB6233 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\svchost.exe[848] WS2_32.dll!closesocket 71AB9639 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\svchost.exe[848] WS2_32.dll!WSARecvFrom 71ABF652 6 Bytes JMP 5F190F5A .text C:\WINDOWS\system32\svchost.exe[848] WS2_32.dll!WSASendTo 71AC0A95 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\svchost.exe[848] WS2_32.dll!WSAConnect 71AC0C69 6 Bytes JMP 5F130F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [65, 5F] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 5F] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [68, 5F] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [89, 5F] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [6B, 5F] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [71, 5F] {JNO 0x61} .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [77, 5F] {JA 0x61} .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [8C, 5F] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [7A, 5F] {JP 0x61} .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [8F, 5F] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [80, 5F] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [83, 5F] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F520F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] kernel32.dll!CreateFileMappingW 7C8093AA 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] kernel32.dll!MapViewOfFileEx 7C80B8A6 6 Bytes JMP 5F550F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] kernel32.dll!CreateRemoteThread 7C81043C 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] kernel32.dll!CreateRemoteThread + 4 7C810440 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] kernel32.dll!MoveFileWithProgressW 7C81F73E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] kernel32.dll!MoveFileWithProgressW + 4 7C81F742 2 Bytes [62, 5F] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] kernel32.dll!CopyFileExW 7C827B42 6 Bytes JMP 5F580F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] WS2_32.dll!sendto 71AB2C69 6 Bytes JMP 5F100F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] WS2_32.dll!recvfrom 71AB2D0F 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F040F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] WS2_32.dll!send 71AB428A 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] WS2_32.dll!WSARecv 71AB4318 6 Bytes JMP 5F160F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] WS2_32.dll!recv 71AB615A 6 Bytes JMP 5F070F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] WS2_32.dll!WSASend 71AB6233 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] WS2_32.dll!closesocket 71AB9639 6 Bytes JMP 5F220F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] WS2_32.dll!WSARecvFrom 71ABF652 6 Bytes JMP 5F190F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] WS2_32.dll!WSASendTo 71AC0A95 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] WS2_32.dll!WSAConnect 71AC0C69 6 Bytes JMP 5F130F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ADVAPI32.dll!CloseServiceHandle 77DE5BED 6 Bytes JMP 5F310F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ADVAPI32.dll!OpenServiceW 77DE5F05 6 Bytes JMP 5F430F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ADVAPI32.dll!ControlService 77DEE055 6 Bytes JMP 5F340F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ADVAPI32.dll!OpenServiceA 77DEE2AE 6 Bytes JMP 5F400F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ADVAPI32.dll!StartServiceW 77DEE5A4 6 Bytes JMP 5F490F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ADVAPI32.dll!StartServiceA 77DF25D8 6 Bytes JMP 5F460F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ADVAPI32.dll!LsaAddAccountRights 77E1AA01 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ADVAPI32.dll!LsaRemoveAccountRights 77E1AAA1 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ADVAPI32.dll!ChangeServiceConfigA 77E36D11 6 Bytes JMP 5F250F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ADVAPI32.dll!ChangeServiceConfigW 77E36EA9 6 Bytes JMP 5F280F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ADVAPI32.dll!ChangeServiceConfig2A 77E36FA9 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ADVAPI32.dll!ChangeServiceConfig2W 77E37031 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F370F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ADVAPI32.dll!DeleteService 77E37359 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FD60F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5FB50F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5FC70F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5FB20F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5FC10F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!PostMessageA 7E41CB85 6 Bytes JMP 5FCA0F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!BeginDeferWindowPos 7E41D907 6 Bytes JMP 5FAF0F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!GetKeyboardState 7E41EF29 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!GetKeyboardState + 4 7E41EF2D 2 Bytes [BF, 5F] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5FB80F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!CreateAcceleratorTableW 7E42D3C1 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!CreateAcceleratorTableW + 4 7E42D3C5 2 Bytes [D1, 5F] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5FD30F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!SetClipboardData 7E430F5E 6 Bytes JMP 5FD90F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5FAC0F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5FCD0F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!AttachThreadInput 7E431E12 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!AttachThreadInput + 4 7E431E16 2 Bytes [BC, 5F] .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5FC40F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ole32.dll!CoCreateInstanceEx 774FFA6B 6 Bytes JMP 5FA90F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ole32.dll!CoGetClassObject 77515DB2 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ole32.dll!CLSIDFromProgID 775242CC 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe[1100] ole32.dll!CLSIDFromProgIDEx 775561FE 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\SYSTEM32\winlogon.exe[1140] Secur32.dll!LsaLogonUser 77FE33F1 5 Bytes JMP 011E2C81 .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [65, 5F] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 5F] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [68, 5F] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [89, 5F] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [6B, 5F] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [71, 5F] {JNO 0x61} .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [77, 5F] {JA 0x61} .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [8C, 5F] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [7A, 5F] {JP 0x61} .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [8F, 5F] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [80, 5F] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [83, 5F] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\WINDOWS\system32\lsass.exe[1196] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\lsass.exe[1196] kernel32.dll!CreateFileMappingW 7C8093AA 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\lsass.exe[1196] kernel32.dll!MapViewOfFileEx 7C80B8A6 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\lsass.exe[1196] kernel32.dll!CreateRemoteThread 7C81043C 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] kernel32.dll!CreateRemoteThread + 4 7C810440 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\WINDOWS\system32\lsass.exe[1196] kernel32.dll!MoveFileWithProgressW 7C81F73E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] kernel32.dll!MoveFileWithProgressW + 4 7C81F742 2 Bytes [62, 5F] .text C:\WINDOWS\system32\lsass.exe[1196] kernel32.dll!CopyFileExW 7C827B42 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\lsass.exe[1196] ADVAPI32.dll!CloseServiceHandle 77DE5BED 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\lsass.exe[1196] ADVAPI32.dll!OpenServiceW 77DE5F05 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\lsass.exe[1196] ADVAPI32.dll!ControlService 77DEE055 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\lsass.exe[1196] ADVAPI32.dll!OpenServiceA 77DEE2AE 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\lsass.exe[1196] ADVAPI32.dll!StartServiceW 77DEE5A4 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\lsass.exe[1196] ADVAPI32.dll!StartServiceA 77DF25D8 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\lsass.exe[1196] ADVAPI32.dll!LsaAddAccountRights 77E1AA01 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\lsass.exe[1196] ADVAPI32.dll!LsaRemoveAccountRights 77E1AAA1 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\lsass.exe[1196] ADVAPI32.dll!ChangeServiceConfigA 77E36D11 6 Bytes JMP 5F250F5A .text C:\WINDOWS\system32\lsass.exe[1196] ADVAPI32.dll!ChangeServiceConfigW 77E36EA9 6 Bytes JMP 5F280F5A .text C:\WINDOWS\system32\lsass.exe[1196] ADVAPI32.dll!ChangeServiceConfig2A 77E36FA9 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\system32\lsass.exe[1196] ADVAPI32.dll!ChangeServiceConfig2W 77E37031 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\lsass.exe[1196] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\lsass.exe[1196] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\lsass.exe[1196] ADVAPI32.dll!DeleteService 77E37359 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FD60F5A .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5FB50F5A .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5FC70F5A .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5FB20F5A .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5FC10F5A .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!PostMessageA 7E41CB85 6 Bytes JMP 5FCA0F5A .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!BeginDeferWindowPos 7E41D907 6 Bytes JMP 5FAF0F5A .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!GetKeyboardState 7E41EF29 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!GetKeyboardState + 4 7E41EF2D 2 Bytes [BF, 5F] .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5FB80F5A .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!CreateAcceleratorTableW 7E42D3C1 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!CreateAcceleratorTableW + 4 7E42D3C5 2 Bytes [D1, 5F] .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5FD30F5A .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!SetClipboardData 7E430F5E 6 Bytes JMP 5FD90F5A .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5FAC0F5A .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5FCD0F5A .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!AttachThreadInput 7E431E12 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!AttachThreadInput + 4 7E431E16 2 Bytes [BC, 5F] .text C:\WINDOWS\system32\lsass.exe[1196] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5FC40F5A .text C:\WINDOWS\system32\lsass.exe[1196] WS2_32.dll!sendto 71AB2C69 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\lsass.exe[1196] WS2_32.dll!recvfrom 71AB2D0F 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\lsass.exe[1196] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\lsass.exe[1196] WS2_32.dll!send 71AB428A 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\lsass.exe[1196] WS2_32.dll!WSARecv 71AB4318 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\lsass.exe[1196] WS2_32.dll!recv 71AB615A 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\lsass.exe[1196] WS2_32.dll!WSASend 71AB6233 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\lsass.exe[1196] WS2_32.dll!closesocket 71AB9639 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\lsass.exe[1196] WS2_32.dll!WSARecvFrom 71ABF652 6 Bytes JMP 5F190F5A .text C:\WINDOWS\system32\lsass.exe[1196] WS2_32.dll!WSASendTo 71AC0A95 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\lsass.exe[1196] WS2_32.dll!WSAConnect 71AC0C69 6 Bytes JMP 5F130F5A .text C:\WINDOWS\system32\lsass.exe[1196] ole32.dll!CoCreateInstanceEx 774FFA6B 6 Bytes JMP 5FA90F5A .text C:\WINDOWS\system32\lsass.exe[1196] ole32.dll!CoGetClassObject 77515DB2 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\lsass.exe[1196] ole32.dll!CLSIDFromProgID 775242CC 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\system32\lsass.exe[1196] ole32.dll!CLSIDFromProgIDEx 775561FE 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [44, 5F] {INC ESP; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [65, 5F] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [47, 5F] {INC EDI; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [68, 5F] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [6B, 5F] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [7A, 5F] {JP 0x61} .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [71, 5F] {JNO 0x61} .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [62, 5F] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [77, 5F] {JA 0x61} .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateFileMappingW 7C8093AA 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!MapViewOfFileEx 7C80B8A6 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateRemoteThread 7C81043C 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CreateRemoteThread + 4 7C810440 2 Bytes [3E, 5F] .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!MoveFileWithProgressW 7C81F73E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!MoveFileWithProgressW + 4 7C81F742 2 Bytes [41, 5F] {INC ECX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1336] kernel32.dll!CopyFileExW 7C827B42 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!CloseServiceHandle 77DE5BED 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!OpenServiceW 77DE5F05 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!ControlService 77DEE055 6 Bytes JMP 5F130F5A .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!OpenServiceA 77DEE2AE 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!StartServiceW 77DEE5A4 6 Bytes JMP 5F280F5A .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!StartServiceA 77DF25D8 4 Bytes JMP 26001E25 .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!StartServiceA + 5 77DF25DD 1 Byte [5F] .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!LsaAddAccountRights 77E1AA01 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!LsaRemoveAccountRights 77E1AAA1 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!ChangeServiceConfigA 77E36D11 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!ChangeServiceConfigW 77E36EA9 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!ChangeServiceConfig2A 77E36FA9 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!ChangeServiceConfig2W 77E37031 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F190F5A .text C:\WINDOWS\system32\svchost.exe[1336] ADVAPI32.dll!DeleteService 77E37359 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FB50F5A .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!PostMessageA 7E41CB85 6 Bytes JMP 5FA90F5A .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!BeginDeferWindowPos 7E41D907 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!GetKeyboardState 7E41EF29 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!GetKeyboardState + 4 7E41EF2D 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F970F5A .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!CreateAcceleratorTableW 7E42D3C1 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!CreateAcceleratorTableW + 4 7E42D3C5 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5FB20F5A .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!SetClipboardData 7E430F5E 6 Bytes JMP 5FB80F5A .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5FAC0F5A .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!AttachThreadInput 7E431E12 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!AttachThreadInput + 4 7E431E16 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1336] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\system32\svchost.exe[1336] ole32.dll!CoCreateInstanceEx 774FFA6B 6 Bytes JMP 5F880F5A .text C:\WINDOWS\system32\svchost.exe[1336] ole32.dll!CoGetClassObject 77515DB2 6 Bytes JMP 5F850F5A .text C:\WINDOWS\system32\svchost.exe[1336] ole32.dll!CLSIDFromProgID 775242CC 6 Bytes JMP 5F820F5A .text C:\WINDOWS\system32\svchost.exe[1336] ole32.dll!CLSIDFromProgIDEx 775561FE 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [44, 5F] {INC ESP; POP EDI} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [65, 5F] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [47, 5F] {INC EDI; POP EDI} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [68, 5F] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [6B, 5F] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [7A, 5F] {JP 0x61} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [71, 5F] {JNO 0x61} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [62, 5F] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [77, 5F] {JA 0x61} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] kernel32.dll!CreateFileMappingW 7C8093AA 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] kernel32.dll!MapViewOfFileEx 7C80B8A6 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] kernel32.dll!CreateRemoteThread 7C81043C 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] kernel32.dll!CreateRemoteThread + 4 7C810440 2 Bytes [3E, 5F] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] kernel32.dll!MoveFileWithProgressW 7C81F73E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] kernel32.dll!MoveFileWithProgressW + 4 7C81F742 2 Bytes [41, 5F] {INC ECX; POP EDI} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] kernel32.dll!CopyFileExW 7C827B42 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FB50F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!PostMessageA 7E41CB85 6 Bytes JMP 5FA90F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!BeginDeferWindowPos 7E41D907 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!GetKeyboardState 7E41EF29 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!GetKeyboardState + 4 7E41EF2D 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F970F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!CreateAcceleratorTableW 7E42D3C1 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!CreateAcceleratorTableW + 4 7E42D3C5 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5FB20F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!SetClipboardData 7E430F5E 6 Bytes JMP 5FB80F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5FAC0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!AttachThreadInput 7E431E12 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!AttachThreadInput + 4 7E431E16 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\WINDOWS\system32\Ati2evxx.exe[1404] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ADVAPI32.dll!CloseServiceHandle 77DE5BED 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ADVAPI32.dll!OpenServiceW 77DE5F05 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ADVAPI32.dll!ControlService 77DEE055 6 Bytes JMP 5F130F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ADVAPI32.dll!OpenServiceA 77DEE2AE 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ADVAPI32.dll!StartServiceW 77DEE5A4 6 Bytes JMP 5F280F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ADVAPI32.dll!StartServiceA 77DF25D8 4 Bytes JMP 26001E25 .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ADVAPI32.dll!StartServiceA + 5 77DF25DD 1 Byte [5F] .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ADVAPI32.dll!LsaAddAccountRights 77E1AA01 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ADVAPI32.dll!LsaRemoveAccountRights 77E1AAA1 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ADVAPI32.dll!ChangeServiceConfigA 77E36D11 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ADVAPI32.dll!ChangeServiceConfigW 77E36EA9 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ADVAPI32.dll!ChangeServiceConfig2A 77E36FA9 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ADVAPI32.dll!ChangeServiceConfig2W 77E37031 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F190F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ADVAPI32.dll!DeleteService 77E37359 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ole32.dll!CoCreateInstanceEx 774FFA6B 6 Bytes JMP 5F880F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ole32.dll!CoGetClassObject 77515DB2 6 Bytes JMP 5F850F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ole32.dll!CLSIDFromProgID 775242CC 6 Bytes JMP 5F820F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1404] ole32.dll!CLSIDFromProgIDEx 775561FE 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [65, 5F] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 5F] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [68, 5F] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [89, 5F] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [6B, 5F] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [71, 5F] {JNO 0x61} .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [77, 5F] {JA 0x61} .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [8C, 5F] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [7A, 5F] {JP 0x61} .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [8F, 5F] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [80, 5F] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [83, 5F] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateFileMappingW 7C8093AA 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!MapViewOfFileEx 7C80B8A6 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateRemoteThread 7C81043C 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateRemoteThread + 4 7C810440 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!MoveFileWithProgressW 7C81F73E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!MoveFileWithProgressW + 4 7C81F742 2 Bytes [62, 5F] .text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CopyFileExW 7C827B42 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!CloseServiceHandle 77DE5BED 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!OpenServiceW 77DE5F05 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!ControlService 77DEE055 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!OpenServiceA 77DEE2AE 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!StartServiceW 77DEE5A4 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!StartServiceA 77DF25D8 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!LsaAddAccountRights 77E1AA01 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!LsaRemoveAccountRights 77E1AAA1 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!ChangeServiceConfigA 77E36D11 6 Bytes JMP 5F250F5A .text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!ChangeServiceConfigW 77E36EA9 6 Bytes JMP 5F280F5A .text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!ChangeServiceConfig2A 77E36FA9 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!ChangeServiceConfig2W 77E37031 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!DeleteService 77E37359 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FD60F5A .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5FB50F5A .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5FC70F5A .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5FB20F5A .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5FC10F5A .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!PostMessageA 7E41CB85 6 Bytes JMP 5FCA0F5A .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!BeginDeferWindowPos 7E41D907 6 Bytes JMP 5FAF0F5A .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!GetKeyboardState 7E41EF29 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!GetKeyboardState + 4 7E41EF2D 2 Bytes [BF, 5F] .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5FB80F5A .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!CreateAcceleratorTableW 7E42D3C1 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!CreateAcceleratorTableW + 4 7E42D3C5 2 Bytes [D1, 5F] .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5FD30F5A .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!SetClipboardData 7E430F5E 6 Bytes JMP 5FD90F5A .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5FAC0F5A .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5FCD0F5A .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!AttachThreadInput 7E431E12 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!AttachThreadInput + 4 7E431E16 2 Bytes [BC, 5F] .text C:\WINDOWS\system32\svchost.exe[1420] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5FC40F5A .text C:\WINDOWS\system32\svchost.exe[1420] ole32.dll!CoCreateInstanceEx 774FFA6B 6 Bytes JMP 5FA90F5A .text C:\WINDOWS\system32\svchost.exe[1420] ole32.dll!CoGetClassObject 77515DB2 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\svchost.exe[1420] ole32.dll!CLSIDFromProgID 775242CC 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\system32\svchost.exe[1420] ole32.dll!CLSIDFromProgIDEx 775561FE 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\svchost.exe[1420] WS2_32.dll!sendto 71AB2C69 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\svchost.exe[1420] WS2_32.dll!recvfrom 71AB2D0F 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1420] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[1420] WS2_32.dll!send 71AB428A 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\svchost.exe[1420] WS2_32.dll!WSARecv 71AB4318 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\svchost.exe[1420] WS2_32.dll!recv 71AB615A 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1420] WS2_32.dll!WSASend 71AB6233 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\svchost.exe[1420] WS2_32.dll!closesocket 71AB9639 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\svchost.exe[1420] WS2_32.dll!WSARecvFrom 71ABF652 6 Bytes JMP 5F190F5A .text C:\WINDOWS\system32\svchost.exe[1420] WS2_32.dll!WSASendTo 71AC0A95 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\svchost.exe[1420] WS2_32.dll!WSAConnect 71AC0C69 6 Bytes JMP 5F130F5A .text C:\Program Files\Panda Security\Panda Internet Security 2010\PavFnSvr.exe[1476] WS2_32.dll!send 71AB428A 5 Bytes JMP 035F9C7F .text C:\Program Files\Panda Security\Panda Internet Security 2010\PavFnSvr.exe[1476] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 035F9F94 .text C:\Program Files\Panda Security\Panda Internet Security 2010\PavFnSvr.exe[1476] WS2_32.dll!recv 71AB615A 5 Bytes JMP 035F9D60 .text C:\Program Files\Panda Security\Panda Internet Security 2010\PavFnSvr.exe[1476] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 035F9E33 .text C:\Program Files\Panda Security\Panda Internet Security 2010\PavFnSvr.exe[1476] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 035FA0E2 .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [65, 5F] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 5F] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [68, 5F] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [89, 5F] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [6B, 5F] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [71, 5F] {JNO 0x61} .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [77, 5F] {JA 0x61} .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [8C, 5F] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [7A, 5F] {JP 0x61} .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [8F, 5F] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [80, 5F] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [83, 5F] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileMappingW 7C8093AA 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!MapViewOfFileEx 7C80B8A6 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateRemoteThread 7C81043C 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateRemoteThread + 4 7C810440 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!MoveFileWithProgressW 7C81F73E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!MoveFileWithProgressW + 4 7C81F742 2 Bytes [62, 5F] .text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CopyFileExW 7C827B42 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!CloseServiceHandle 77DE5BED 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!OpenServiceW 77DE5F05 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!ControlService 77DEE055 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!OpenServiceA 77DEE2AE 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!StartServiceW 77DEE5A4 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!StartServiceA 77DF25D8 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!LsaAddAccountRights 77E1AA01 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!LsaRemoveAccountRights 77E1AAA1 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!ChangeServiceConfigA 77E36D11 6 Bytes JMP 5F250F5A .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!ChangeServiceConfigW 77E36EA9 6 Bytes JMP 5F280F5A .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!ChangeServiceConfig2A 77E36FA9 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!ChangeServiceConfig2W 77E37031 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!DeleteService 77E37359 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FD60F5A .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5FB50F5A .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5FC70F5A .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5FB20F5A .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5FC10F5A .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!PostMessageA 7E41CB85 6 Bytes JMP 5FCA0F5A .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!BeginDeferWindowPos 7E41D907 6 Bytes JMP 5FAF0F5A .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!GetKeyboardState 7E41EF29 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!GetKeyboardState + 4 7E41EF2D 2 Bytes [BF, 5F] .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5FB80F5A .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!CreateAcceleratorTableW 7E42D3C1 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!CreateAcceleratorTableW + 4 7E42D3C5 2 Bytes [D1, 5F] .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5FD30F5A .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!SetClipboardData 7E430F5E 6 Bytes JMP 5FD90F5A .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5FAC0F5A .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5FCD0F5A .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!AttachThreadInput 7E431E12 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!AttachThreadInput + 4 7E431E16 2 Bytes [BC, 5F] .text C:\WINDOWS\system32\svchost.exe[1492] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5FC40F5A .text C:\WINDOWS\system32\svchost.exe[1492] ole32.dll!CoCreateInstanceEx 774FFA6B 6 Bytes JMP 5FA90F5A .text C:\WINDOWS\system32\svchost.exe[1492] ole32.dll!CoGetClassObject 77515DB2 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\svchost.exe[1492] ole32.dll!CLSIDFromProgID 775242CC 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\system32\svchost.exe[1492] ole32.dll!CLSIDFromProgIDEx 775561FE 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!sendto 71AB2C69 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!recvfrom 71AB2D0F 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!send 71AB428A 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!WSARecv 71AB4318 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!recv 71AB615A 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!WSASend 71AB6233 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!closesocket 71AB9639 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!WSARecvFrom 71ABF652 6 Bytes JMP 5F190F5A .text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!WSASendTo 71AC0A95 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!WSAConnect 71AC0C69 6 Bytes JMP 5F130F5A .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [65, 5F] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 5F] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [68, 5F] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [89, 5F] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [6B, 5F] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [71, 5F] {JNO 0x61} .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [77, 5F] {JA 0x61} .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [8C, 5F] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [7A, 5F] {JP 0x61} .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [8F, 5F] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [80, 5F] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [83, 5F] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateFileMappingW 7C8093AA 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!MapViewOfFileEx 7C80B8A6 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateRemoteThread 7C81043C 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CreateRemoteThread + 4 7C810440 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!MoveFileWithProgressW 7C81F73E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!MoveFileWithProgressW + 4 7C81F742 2 Bytes [62, 5F] .text C:\WINDOWS\system32\svchost.exe[1604] kernel32.dll!CopyFileExW 7C827B42 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!CloseServiceHandle 77DE5BED 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!OpenServiceW 77DE5F05 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!ControlService 77DEE055 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!OpenServiceA 77DEE2AE 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!StartServiceW 77DEE5A4 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!StartServiceA 77DF25D8 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!LsaAddAccountRights 77E1AA01 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!LsaRemoveAccountRights 77E1AAA1 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!ChangeServiceConfigA 77E36D11 6 Bytes JMP 5F250F5A .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!ChangeServiceConfigW 77E36EA9 6 Bytes JMP 5F280F5A .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!ChangeServiceConfig2A 77E36FA9 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!ChangeServiceConfig2W 77E37031 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\svchost.exe[1604] ADVAPI32.dll!DeleteService 77E37359 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FD60F5A .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5FB50F5A .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5FC70F5A .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5FB20F5A .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5FC10F5A .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!PostMessageA 7E41CB85 6 Bytes JMP 5FCA0F5A .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!BeginDeferWindowPos 7E41D907 6 Bytes JMP 5FAF0F5A .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!GetKeyboardState 7E41EF29 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!GetKeyboardState + 4 7E41EF2D 2 Bytes [BF, 5F] .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5FB80F5A .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!CreateAcceleratorTableW 7E42D3C1 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!CreateAcceleratorTableW + 4 7E42D3C5 2 Bytes [D1, 5F] .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5FD30F5A .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!SetClipboardData 7E430F5E 6 Bytes JMP 5FD90F5A .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5FAC0F5A .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5FCD0F5A .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!AttachThreadInput 7E431E12 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!AttachThreadInput + 4 7E431E16 2 Bytes [BC, 5F] .text C:\WINDOWS\system32\svchost.exe[1604] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5FC40F5A .text C:\WINDOWS\system32\svchost.exe[1604] ole32.dll!CoCreateInstanceEx 774FFA6B 6 Bytes JMP 5FA90F5A .text C:\WINDOWS\system32\svchost.exe[1604] ole32.dll!CoGetClassObject 77515DB2 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\svchost.exe[1604] ole32.dll!CLSIDFromProgID 775242CC 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\system32\svchost.exe[1604] ole32.dll!CLSIDFromProgIDEx 775561FE 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\svchost.exe[1604] WS2_32.dll!sendto 71AB2C69 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\svchost.exe[1604] WS2_32.dll!recvfrom 71AB2D0F 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1604] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[1604] WS2_32.dll!send 71AB428A 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\svchost.exe[1604] WS2_32.dll!WSARecv 71AB4318 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\svchost.exe[1604] WS2_32.dll!recv 71AB615A 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1604] WS2_32.dll!WSASend 71AB6233 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\svchost.exe[1604] WS2_32.dll!closesocket 71AB9639 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\svchost.exe[1604] WS2_32.dll!WSARecvFrom 71ABF652 6 Bytes JMP 5F190F5A .text C:\WINDOWS\system32\svchost.exe[1604] WS2_32.dll!WSASendTo 71AC0A95 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\svchost.exe[1604] WS2_32.dll!WSAConnect 71AC0C69 6 Bytes JMP 5F130F5A .text C:\Program Files\Panda Security\Panda Internet Security 2010\TPSrv.exe[1624] WS2_32.dll!send 71AB428A 5 Bytes JMP 00A19C7F .text C:\Program Files\Panda Security\Panda Internet Security 2010\TPSrv.exe[1624] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00A19F94 .text C:\Program Files\Panda Security\Panda Internet Security 2010\TPSrv.exe[1624] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00A19D60 .text C:\Program Files\Panda Security\Panda Internet Security 2010\TPSrv.exe[1624] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00A19E33 .text C:\Program Files\Panda Security\Panda Internet Security 2010\TPSrv.exe[1624] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00A1A0E2 .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [44, 5F] {INC ESP; POP EDI} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [65, 5F] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [47, 5F] {INC EDI; POP EDI} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [68, 5F] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [6B, 5F] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [7A, 5F] {JP 0x61} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [62, 5F] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [77, 5F] {JA 0x61} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] kernel32.dll!CreateFileMappingW 7C8093AA 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] kernel32.dll!MapViewOfFileEx 7C80B8A6 6 Bytes JMP 5F340F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] kernel32.dll!CreateRemoteThread 7C81043C 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] kernel32.dll!CreateRemoteThread + 4 7C810440 2 Bytes [3E, 5F] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] kernel32.dll!MoveFileWithProgressW 7C81F73E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] kernel32.dll!MoveFileWithProgressW + 4 7C81F742 2 Bytes [41, 5F] {INC ECX; POP EDI} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] kernel32.dll!CopyFileExW 7C827B42 6 Bytes JMP 5F370F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ADVAPI32.dll!CloseServiceHandle 77DE5BED 6 Bytes JMP 5F100F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ADVAPI32.dll!OpenServiceW 77DE5F05 6 Bytes JMP 5F220F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ADVAPI32.dll!ControlService 77DEE055 6 Bytes JMP 5F130F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ADVAPI32.dll!OpenServiceA 77DEE2AE 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ADVAPI32.dll!StartServiceW 77DEE5A4 6 Bytes JMP 5F280F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ADVAPI32.dll!StartServiceA 77DF25D8 4 Bytes JMP 26001E25 .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ADVAPI32.dll!StartServiceA + 5 77DF25DD 1 Byte [5F] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ADVAPI32.dll!LsaAddAccountRights 77E1AA01 6 Bytes JMP 5F2B0F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ADVAPI32.dll!LsaRemoveAccountRights 77E1AAA1 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ADVAPI32.dll!ChangeServiceConfigA 77E36D11 6 Bytes JMP 5F040F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ADVAPI32.dll!ChangeServiceConfigW 77E36EA9 6 Bytes JMP 5F070F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ADVAPI32.dll!ChangeServiceConfig2A 77E36FA9 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ADVAPI32.dll!ChangeServiceConfig2W 77E37031 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F160F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F190F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ADVAPI32.dll!DeleteService 77E37359 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FB50F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5F940F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5FA60F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5F910F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5FA00F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!PostMessageA 7E41CB85 6 Bytes JMP 5FA90F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!BeginDeferWindowPos 7E41D907 6 Bytes JMP 5F8E0F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!GetKeyboardState 7E41EF29 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!GetKeyboardState + 4 7E41EF2D 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F970F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!CreateAcceleratorTableW 7E42D3C1 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!CreateAcceleratorTableW + 4 7E42D3C5 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5FB20F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!SetClipboardData 7E430F5E 6 Bytes JMP 5FB80F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F8B0F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5FAC0F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!AttachThreadInput 7E431E12 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!AttachThreadInput + 4 7E431E16 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5FA30F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ole32.dll!CoCreateInstanceEx 774FFA6B 6 Bytes JMP 5F880F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ole32.dll!CoGetClassObject 77515DB2 6 Bytes JMP 5F850F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ole32.dll!CLSIDFromProgID 775242CC 6 Bytes JMP 5F820F5A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1720] ole32.dll!CLSIDFromProgIDEx 775561FE 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [65, 5F] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 5F] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [68, 5F] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [89, 5F] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [6B, 5F] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [71, 5F] {JNO 0x61} .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [77, 5F] {JA 0x61} .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [8C, 5F] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [7A, 5F] {JP 0x61} .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [8F, 5F] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [80, 5F] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [83, 5F] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateFileMappingW 7C8093AA 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!MapViewOfFileEx 7C80B8A6 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateRemoteThread 7C81043C 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CreateRemoteThread + 4 7C810440 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!MoveFileWithProgressW 7C81F73E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!MoveFileWithProgressW + 4 7C81F742 2 Bytes [62, 5F] .text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!CopyFileExW 7C827B42 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!CloseServiceHandle 77DE5BED 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!OpenServiceW 77DE5F05 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!ControlService 77DEE055 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!OpenServiceA 77DEE2AE 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!StartServiceW 77DEE5A4 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!StartServiceA 77DF25D8 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!LsaAddAccountRights 77E1AA01 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!LsaRemoveAccountRights 77E1AAA1 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!ChangeServiceConfigA 77E36D11 6 Bytes JMP 5F250F5A .text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!ChangeServiceConfigW 77E36EA9 6 Bytes JMP 5F280F5A .text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!ChangeServiceConfig2A 77E36FA9 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!ChangeServiceConfig2W 77E37031 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\svchost.exe[1784] ADVAPI32.dll!DeleteService 77E37359 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FD60F5A .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5FB50F5A .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5FC70F5A .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5FB20F5A .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5FC10F5A .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!PostMessageA 7E41CB85 6 Bytes JMP 5FCA0F5A .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!BeginDeferWindowPos 7E41D907 6 Bytes JMP 5FAF0F5A .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!GetKeyboardState 7E41EF29 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!GetKeyboardState + 4 7E41EF2D 2 Bytes [BF, 5F] .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5FB80F5A .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!CreateAcceleratorTableW 7E42D3C1 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!CreateAcceleratorTableW + 4 7E42D3C5 2 Bytes [D1, 5F] .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5FD30F5A .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!SetClipboardData 7E430F5E 6 Bytes JMP 5FD90F5A .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5FAC0F5A .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5FCD0F5A .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!AttachThreadInput 7E431E12 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!AttachThreadInput + 4 7E431E16 2 Bytes [BC, 5F] .text C:\WINDOWS\system32\svchost.exe[1784] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5FC40F5A .text C:\WINDOWS\system32\svchost.exe[1784] ole32.dll!CoCreateInstanceEx 774FFA6B 6 Bytes JMP 5FA90F5A .text C:\WINDOWS\system32\svchost.exe[1784] ole32.dll!CoGetClassObject 77515DB2 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\svchost.exe[1784] ole32.dll!CLSIDFromProgID 775242CC 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\system32\svchost.exe[1784] ole32.dll!CLSIDFromProgIDEx 775561FE 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\svchost.exe[1784] WS2_32.dll!sendto 71AB2C69 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\svchost.exe[1784] WS2_32.dll!recvfrom 71AB2D0F 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1784] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[1784] WS2_32.dll!send 71AB428A 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\svchost.exe[1784] WS2_32.dll!WSARecv 71AB4318 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\svchost.exe[1784] WS2_32.dll!recv 71AB615A 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1784] WS2_32.dll!WSASend 71AB6233 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\svchost.exe[1784] WS2_32.dll!closesocket 71AB9639 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\svchost.exe[1784] WS2_32.dll!WSARecvFrom 71ABF652 6 Bytes JMP 5F190F5A .text C:\WINDOWS\system32\svchost.exe[1784] WS2_32.dll!WSASendTo 71AC0A95 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\svchost.exe[1784] WS2_32.dll!WSAConnect 71AC0C69 6 Bytes JMP 5F130F5A .text C:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2010\WebProxy.exe[1864] WS2_32.dll!send 71AB428A 5 Bytes JMP 0C789C7F .text C:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2010\WebProxy.exe[1864] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 0C789F94 .text C:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2010\WebProxy.exe[1864] WS2_32.dll!recv 71AB615A 5 Bytes JMP 0C789D60 .text C:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2010\WebProxy.exe[1864] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 0C789E33 .text C:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2010\WebProxy.exe[1864] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 0C78A0E2 .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [65, 5F] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 5F] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [68, 5F] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [89, 5F] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [6B, 5F] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [71, 5F] {JNO 0x61} .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [77, 5F] {JA 0x61} .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [8C, 5F] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [7A, 5F] {JP 0x61} .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [8F, 5F] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [80, 5F] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [83, 5F] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateFileMappingW 7C8093AA 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!MapViewOfFileEx 7C80B8A6 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateRemoteThread 7C81043C 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CreateRemoteThread + 4 7C810440 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!MoveFileWithProgressW 7C81F73E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!MoveFileWithProgressW + 4 7C81F742 2 Bytes [62, 5F] .text C:\WINDOWS\system32\svchost.exe[1972] kernel32.dll!CopyFileExW 7C827B42 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!CloseServiceHandle 77DE5BED 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!OpenServiceW 77DE5F05 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!ControlService 77DEE055 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!OpenServiceA 77DEE2AE 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!StartServiceW 77DEE5A4 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!StartServiceA 77DF25D8 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!LsaAddAccountRights 77E1AA01 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!LsaRemoveAccountRights 77E1AAA1 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!ChangeServiceConfigA 77E36D11 6 Bytes JMP 5F250F5A .text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!ChangeServiceConfigW 77E36EA9 6 Bytes JMP 5F280F5A .text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!ChangeServiceConfig2A 77E36FA9 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!ChangeServiceConfig2W 77E37031 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\svchost.exe[1972] ADVAPI32.dll!DeleteService 77E37359 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FD60F5A .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5FB50F5A .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5FC70F5A .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5FB20F5A .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5FC10F5A .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!PostMessageA 7E41CB85 6 Bytes JMP 5FCA0F5A .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!BeginDeferWindowPos 7E41D907 6 Bytes JMP 5FAF0F5A .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!GetKeyboardState 7E41EF29 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!GetKeyboardState + 4 7E41EF2D 2 Bytes [BF, 5F] .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5FB80F5A .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!CreateAcceleratorTableW 7E42D3C1 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!CreateAcceleratorTableW + 4 7E42D3C5 2 Bytes [D1, 5F] .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5FD30F5A .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!SetClipboardData 7E430F5E 6 Bytes JMP 5FD90F5A .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5FAC0F5A .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5FCD0F5A .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!AttachThreadInput 7E431E12 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!AttachThreadInput + 4 7E431E16 2 Bytes [BC, 5F] .text C:\WINDOWS\system32\svchost.exe[1972] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5FC40F5A .text C:\WINDOWS\system32\svchost.exe[1972] ole32.dll!CoCreateInstanceEx 774FFA6B 6 Bytes JMP 5FA90F5A .text C:\WINDOWS\system32\svchost.exe[1972] ole32.dll!CoGetClassObject 77515DB2 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\svchost.exe[1972] ole32.dll!CLSIDFromProgID 775242CC 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\system32\svchost.exe[1972] ole32.dll!CLSIDFromProgIDEx 775561FE 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!sendto 71AB2C69 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!recvfrom 71AB2D0F 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!send 71AB428A 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!WSARecv 71AB4318 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!recv 71AB615A 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!WSASend 71AB6233 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!closesocket 71AB9639 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!WSARecvFrom 71ABF652 6 Bytes JMP 5F190F5A .text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!WSASendTo 71AC0A95 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\svchost.exe[1972] WS2_32.dll!WSAConnect 71AC0C69 6 Bytes JMP 5F130F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [44, 5F] {INC ESP; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [65, 5F] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [47, 5F] {INC EDI; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [68, 5F] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [6B, 5F] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [7A, 5F] {JP 0x61} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [62, 5F] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [77, 5F] {JA 0x61} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] kernel32.dll!CreateFileMappingW 7C8093AA 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] kernel32.dll!MapViewOfFileEx 7C80B8A6 6 Bytes JMP 5F340F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] kernel32.dll!CreateRemoteThread 7C81043C 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] kernel32.dll!CreateRemoteThread + 4 7C810440 2 Bytes [3E, 5F] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] kernel32.dll!MoveFileWithProgressW 7C81F73E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] kernel32.dll!MoveFileWithProgressW + 4 7C81F742 2 Bytes [41, 5F] {INC ECX; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] kernel32.dll!CopyFileExW 7C827B42 6 Bytes JMP 5F370F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FB50F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5F940F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5FA60F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5F910F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5FA00F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!PostMessageA 7E41CB85 6 Bytes JMP 5FA90F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!BeginDeferWindowPos 7E41D907 6 Bytes JMP 5F8E0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!GetKeyboardState 7E41EF29 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!GetKeyboardState + 4 7E41EF2D 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F970F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!CreateAcceleratorTableW 7E42D3C1 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!CreateAcceleratorTableW + 4 7E42D3C5 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5FB20F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!SetClipboardData 7E430F5E 6 Bytes JMP 5FB80F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F8B0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5FAC0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!AttachThreadInput 7E431E12 3 Bytes [FF, 25, 1E] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!AttachThreadInput + 4 7E431E16 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5FA30F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ADVAPI32.dll!CloseServiceHandle 77DE5BED 6 Bytes JMP 5F100F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ADVAPI32.dll!OpenServiceW 77DE5F05 6 Bytes JMP 5F220F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ADVAPI32.dll!ControlService 77DEE055 6 Bytes JMP 5F130F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ADVAPI32.dll!OpenServiceA 77DEE2AE 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ADVAPI32.dll!StartServiceW 77DEE5A4 6 Bytes JMP 5F280F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ADVAPI32.dll!StartServiceA 77DF25D8 4 Bytes JMP 26001E25 .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ADVAPI32.dll!StartServiceA + 5 77DF25DD 1 Byte [5F] .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ADVAPI32.dll!LsaAddAccountRights 77E1AA01 6 Bytes JMP 5F2B0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ADVAPI32.dll!LsaRemoveAccountRights 77E1AAA1 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ADVAPI32.dll!ChangeServiceConfigA 77E36D11 6 Bytes JMP 5F040F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ADVAPI32.dll!ChangeServiceConfigW 77E36EA9 6 Bytes JMP 5F070F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ADVAPI32.dll!ChangeServiceConfig2A 77E36FA9 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ADVAPI32.dll!ChangeServiceConfig2W 77E37031 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F160F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F190F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ADVAPI32.dll!DeleteService 77E37359 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ole32.dll!CoCreateInstanceEx 774FFA6B 6 Bytes JMP 5F880F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ole32.dll!CoGetClassObject 77515DB2 6 Bytes JMP 5F850F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ole32.dll!CLSIDFromProgID 775242CC 6 Bytes JMP 5F820F5A .text C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe[2172] ole32.dll!CLSIDFromProgIDEx 775561FE 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [44, 5F] {INC ESP; POP EDI} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [65, 5F] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [47, 5F] {INC EDI; POP EDI} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [68, 5F] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [6B, 5F] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [6E, 5F] {OUTSB ; POP EDI} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [7A, 5F] {JP 0x61} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [71, 5F] {JNO 0x61} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [62, 5F] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [77, 5F] {JA 0x61} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] kernel32.dll!CreateFileMappingW 7C8093AA 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] kernel32.dll!MapViewOfFileEx 7C80B8A6 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] kernel32.dll!CreateRemoteThread 7C81043C 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] kernel32.dll!CreateRemoteThread + 4 7C810440 2 Bytes [3E, 5F] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] kernel32.dll!MoveFileWithProgressW 7C81F73E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] kernel32.dll!MoveFileWithProgressW + 4 7C81F742 2 Bytes [41, 5F] {INC ECX; POP EDI} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] kernel32.dll!CopyFileExW 7C827B42 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ADVAPI32.dll!CloseServiceHandle 77DE5BED 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ADVAPI32.dll!OpenServiceW 77DE5F05 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ADVAPI32.dll!ControlService 77DEE055 6 Bytes JMP 5F130F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ADVAPI32.dll!OpenServiceA 77DEE2AE 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ADVAPI32.dll!StartServiceW 77DEE5A4 6 Bytes JMP 5F280F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ADVAPI32.dll!StartServiceA 77DF25D8 4 Bytes JMP 26001E25 .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ADVAPI32.dll!StartServiceA + 5 77DF25DD 1 Byte [5F] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ADVAPI32.dll!LsaAddAccountRights 77E1AA01 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ADVAPI32.dll!LsaRemoveAccountRights 77E1AAA1 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ADVAPI32.dll!ChangeServiceConfigA 77E36D11 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ADVAPI32.dll!ChangeServiceConfigW 77E36EA9 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ADVAPI32.dll!ChangeServiceConfig2A 77E36FA9 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ADVAPI32.dll!ChangeServiceConfig2W 77E37031 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F190F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ADVAPI32.dll!DeleteService 77E37359 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!DispatchMessageW 7E418A01 6 Bytes JMP 5FB50F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!TranslateMessage 7E418BF6 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!PostMessageW 7E418CCB 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!GetKeyState 7E41C505 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!PostMessageA 7E41CB85 6 Bytes JMP 5FA90F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!BeginDeferWindowPos 7E41D907 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!GetKeyboardState 7E41EF29 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!GetKeyboardState + 4 7E41EF2D 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!GetAsyncKeyState 7E41F3B3 6 Bytes JMP 5F970F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!CreateAcceleratorTableW 7E42D3C1 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!CreateAcceleratorTableW + 4 7E42D3C5 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5FB20F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!SetClipboardData 7E430F5E 6 Bytes JMP 5FB80F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!SetWinEventHook 7E4317B7 6 Bytes JMP 5FAC0F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!AttachThreadInput 7E431E12 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!AttachThreadInput + 4 7E431E16 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\WINDOWS\system32\wfxsnt40.exe[2184] USER32.dll!DdeConnect 7E457F93 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\system32\wfxsnt40.exe[2184] ole32.dll!CoCreateInstanceEx 774FFA6B 6 Bytes JMP 5F880F5A