GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-02 07:47:53 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3160815AS rev.4.AAA 149,05GB Running: 59d90jsn.exe; Driver: C:\DOCUME~1\FUJITS~1\USTAWI~1\Temp\pwlyykob.sys ---- System - GMER 2.1 ---- SSDT \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys ZwTerminateProcess [0xA879FA30] SSDT \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys ZwTerminateThread [0xA879EE50] SSDT \??\C:\WINDOWS\system32\PavSRK.sys ZwWriteVirtualMemory [0xBA4094E8] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 3030 80504918 4 Bytes CALL CD0A89B1 ? C:\WINDOWS\system32\PavTPK.sys Nie można odnaleźć określonego pliku. ! ? C:\WINDOWS\system32\PavSRK.sys Nie można odnaleźć określonego pliku. ! ? system32\drivers\av5flt.sys System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [44, 5F] {INC ESP; POP EDI} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [65, 5F] {POP EDI} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [47, 5F] {INC EDI; POP EDI} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [68, 5F] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [6B, 5F] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [6E, 5F] {OUTS DX, BYTE [ESI]; POP EDI} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [7A, 5F] {JP 0x61} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [62, 5F] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [77, 5F] {JA 0x61} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F310F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F3A0F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F340F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] kernel32.dll!CreateRemoteThread 7C8104FC 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] kernel32.dll!CreateRemoteThread + 4 7C810500 2 Bytes [3E, 5F] {POP EDI} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] kernel32.dll!MoveFileWithProgressW 7C820E56 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] kernel32.dll!MoveFileWithProgressW + 4 7C820E5A 2 Bytes [41, 5F] {INC ECX; POP EDI} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] kernel32.dll!CopyFileExW 7C82925A 6 Bytes JMP 5F370F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FB50F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F940F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 5FA60F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F910F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!CreateAcceleratorTableW 7E36D9BB 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!CreateAcceleratorTableW + 4 7E36D9BF 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5FB20F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5FA00F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F970F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 5FA90F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!BeginDeferWindowPos 7E37AFB9 6 Bytes JMP 5F8E0F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!SetClipboardData 7E380F9E 6 Bytes JMP 5FB80F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F8B0F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5FAC0F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!AttachThreadInput 7E381E52 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!AttachThreadInput + 4 7E381E56 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5FA30F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 6 Bytes JMP 5F100F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ADVAPI32.dll!OpenServiceW 77DD6FFD 6 Bytes JMP 5F220F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ADVAPI32.dll!StartServiceA 77DDFB58 6 Bytes JMP 5F250F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ADVAPI32.dll!StartServiceW 77DE3E94 6 Bytes JMP 5F280F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ADVAPI32.dll!ControlService 77DE4A09 6 Bytes JMP 5F130F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ADVAPI32.dll!OpenServiceA 77DE4C66 6 Bytes JMP 5F1F0F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ADVAPI32.dll!LsaAddAccountRights 77E0ABF1 6 Bytes JMP 5F2B0F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 5F2E0F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 6 Bytes JMP 5F040F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ADVAPI32.dll!ChangeServiceConfigW 77E27001 6 Bytes JMP 5F070F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 6 Bytes JMP 5F0A0F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 3 Bytes [FF, 25, 1E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ADVAPI32.dll!ChangeServiceConfig2W + 4 77E2718D 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 5F160F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 5F190F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ADVAPI32.dll!DeleteService 77E274B1 6 Bytes JMP 5F1C0F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ole32.dll!CoCreateInstanceEx 774EF164 6 Bytes JMP 5F880F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ole32.dll!CoGetClassObject 77505205 6 Bytes JMP 5F850F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ole32.dll!CLSIDFromProgID 77508332 6 Bytes JMP 5F820F5A .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[160] ole32.dll!CLSIDFromProgIDEx 7754626D 6 Bytes JMP 5F7F0F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [65, 5F] {POP EDI} .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 5F] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [68, 5F] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [89, 5F] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [6B, 5F] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [6E, 5F] {OUTS DX, BYTE [ESI]; POP EDI} .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [77, 5F] {JA 0x61} .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [8C, 5F] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [7A, 5F] {JP 0x61} .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [8F, 5F] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [80, 5F] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [83, 5F] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F520F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F5B0F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F550F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] kernel32.dll!CreateRemoteThread 7C8104FC 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] kernel32.dll!CreateRemoteThread + 4 7C810500 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] kernel32.dll!MoveFileWithProgressW 7C820E56 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] kernel32.dll!MoveFileWithProgressW + 4 7C820E5A 2 Bytes [62, 5F] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] kernel32.dll!CopyFileExW 7C82925A 6 Bytes JMP 5F580F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FD60F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5FB50F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 5FC70F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5FB20F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!CreateAcceleratorTableW 7E36D9BB 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!CreateAcceleratorTableW + 4 7E36D9BF 2 Bytes [D1, 5F] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5FD30F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5FC10F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5FB80F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 5FCA0F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!BeginDeferWindowPos 7E37AFB9 6 Bytes JMP 5FAF0F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [BF, 5F] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!SetClipboardData 7E380F9E 6 Bytes JMP 5FD90F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5FAC0F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5FCD0F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!AttachThreadInput 7E381E52 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!AttachThreadInput + 4 7E381E56 2 Bytes [BC, 5F] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5FC40F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 6 Bytes JMP 5F310F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ADVAPI32.dll!OpenServiceW 77DD6FFD 6 Bytes JMP 5F430F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ADVAPI32.dll!StartServiceA 77DDFB58 6 Bytes JMP 5F460F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ADVAPI32.dll!StartServiceW 77DE3E94 6 Bytes JMP 5F490F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ADVAPI32.dll!ControlService 77DE4A09 6 Bytes JMP 5F340F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ADVAPI32.dll!OpenServiceA 77DE4C66 6 Bytes JMP 5F400F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ADVAPI32.dll!LsaAddAccountRights 77E0ABF1 6 Bytes JMP 5F4C0F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 5F4F0F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 6 Bytes JMP 5F250F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ADVAPI32.dll!ChangeServiceConfigW 77E27001 6 Bytes JMP 5F280F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 6 Bytes JMP 5F2B0F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ADVAPI32.dll!ChangeServiceConfig2W + 4 77E2718D 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 5F370F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 5F3A0F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ADVAPI32.dll!DeleteService 77E274B1 6 Bytes JMP 5F3D0F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] WS2_32.dll!sendto 71A52F51 6 Bytes JMP 5F100F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] WS2_32.dll!recvfrom 71A52FF7 6 Bytes JMP 5F0A0F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] WS2_32.dll!closesocket 71A53E2B 6 Bytes JMP 5F220F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] WS2_32.dll!connect 71A54A07 6 Bytes JMP 5F040F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] WS2_32.dll!send 71A54C27 6 Bytes JMP 5F0D0F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] WS2_32.dll!WSARecv 71A54CB5 6 Bytes JMP 5F160F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] WS2_32.dll!recv 71A5676F 6 Bytes JMP 5F070F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] WS2_32.dll!WSASend 71A568FA 6 Bytes JMP 5F1C0F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] WS2_32.dll!WSARecvFrom 71A5F66A 6 Bytes JMP 5F190F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] WS2_32.dll!WSASendTo 71A60AAD 6 Bytes JMP 5F1F0F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] WS2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 5F130F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ole32.dll!CoCreateInstanceEx 774EF164 6 Bytes JMP 5FA90F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ole32.dll!CoGetClassObject 77505205 6 Bytes JMP 5FA60F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ole32.dll!CLSIDFromProgID 77508332 6 Bytes JMP 5FA30F5A .text C:\Program Files\AplusC\uplook\Agent\svuhost.exe[1584] ole32.dll!CLSIDFromProgIDEx 7754626D 6 Bytes JMP 5FA00F5A .text C:\Program Files\Java\jre6\bin\jqs.exe[1604] WS2_32.dll!sendto 71A52F51 6 Bytes JMP 5F100F5A .text C:\Program Files\Java\jre6\bin\jqs.exe[1604] WS2_32.dll!recvfrom 71A52FF7 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Java\jre6\bin\jqs.exe[1604] WS2_32.dll!closesocket 71A53E2B 6 Bytes JMP 5F220F5A .text C:\Program Files\Java\jre6\bin\jqs.exe[1604] WS2_32.dll!connect 71A54A07 6 Bytes JMP 5F040F5A .text C:\Program Files\Java\jre6\bin\jqs.exe[1604] WS2_32.dll!send 71A54C27 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Java\jre6\bin\jqs.exe[1604] WS2_32.dll!WSARecv 71A54CB5 6 Bytes JMP 5F160F5A .text C:\Program Files\Java\jre6\bin\jqs.exe[1604] WS2_32.dll!recv 71A5676F 6 Bytes JMP 5F070F5A .text C:\Program Files\Java\jre6\bin\jqs.exe[1604] WS2_32.dll!WSASend 71A568FA 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Java\jre6\bin\jqs.exe[1604] WS2_32.dll!WSARecvFrom 71A5F66A 6 Bytes JMP 5F190F5A .text C:\Program Files\Java\jre6\bin\jqs.exe[1604] WS2_32.dll!WSASendTo 71A60AAD 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Java\jre6\bin\jqs.exe[1604] WS2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 5F130F5A .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [65, 5F] {POP EDI} .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 5F] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [68, 5F] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [89, 5F] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [6B, 5F] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [6E, 5F] {OUTS DX, BYTE [ESI]; POP EDI} .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [71, 5F] {JNO 0x61} .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [77, 5F] {JA 0x61} .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [8C, 5F] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [7A, 5F] {JP 0x61} .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [8F, 5F] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [80, 5F] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [83, 5F] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F520F5A .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F550F5A .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CreateRemoteThread 7C8104FC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CreateRemoteThread + 4 7C810500 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!MoveFileWithProgressW 7C820E56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!MoveFileWithProgressW + 4 7C820E5A 2 Bytes [62, 5F] .text C:\WINDOWS\Explorer.EXE[1984] kernel32.dll!CopyFileExW 7C82925A 6 Bytes JMP 5F580F5A .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 6 Bytes JMP 5F310F5A .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!OpenServiceW 77DD6FFD 6 Bytes JMP 5F430F5A .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!StartServiceA 77DDFB58 6 Bytes JMP 5F460F5A .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!StartServiceW 77DE3E94 6 Bytes JMP 5F490F5A .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!ControlService 77DE4A09 6 Bytes JMP 5F340F5A .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!OpenServiceA 77DE4C66 6 Bytes JMP 5F400F5A .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!LsaAddAccountRights 77E0ABF1 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 6 Bytes JMP 5F250F5A .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!ChangeServiceConfigW 77E27001 6 Bytes JMP 5F280F5A .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!ChangeServiceConfig2W + 4 77E2718D 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 5F370F5A .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\Explorer.EXE[1984] ADVAPI32.dll!DeleteService 77E274B1 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FD00F5A .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5FAF0F5A .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 5FC10F5A .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5FAC0F5A .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!CreateAcceleratorTableW 7E36D9BB 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!CreateAcceleratorTableW + 4 7E36D9BF 2 Bytes [CB, 5F] {RETF ; POP EDI} .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5FCD0F5A .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5FBB0F5A .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5FB20F5A .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 5FC40F5A .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!BeginDeferWindowPos 7E37AFB9 6 Bytes JMP 5FA90F5A .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [B9, 5F] .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!SetClipboardData 7E380F9E 6 Bytes JMP 5FD30F5A .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5FC70F5A .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!AttachThreadInput 7E381E52 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!AttachThreadInput + 4 7E381E56 2 Bytes [B6, 5F] {MOV DH, 0x5f} .text C:\WINDOWS\Explorer.EXE[1984] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5FBE0F5A .text C:\WINDOWS\Explorer.EXE[1984] ole32.dll!CLSIDFromProgID 77508332 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\Explorer.EXE[1984] ole32.dll!CLSIDFromProgIDEx 7754626D 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\Explorer.EXE[1984] WS2_32.dll!sendto 71A52F51 6 Bytes JMP 5F100F5A .text C:\WINDOWS\Explorer.EXE[1984] WS2_32.dll!recvfrom 71A52FF7 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\Explorer.EXE[1984] WS2_32.dll!closesocket 71A53E2B 6 Bytes JMP 5F220F5A .text C:\WINDOWS\Explorer.EXE[1984] WS2_32.dll!connect 71A54A07 6 Bytes JMP 5F040F5A .text C:\WINDOWS\Explorer.EXE[1984] WS2_32.dll!send 71A54C27 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\Explorer.EXE[1984] WS2_32.dll!WSARecv 71A54CB5 6 Bytes JMP 5F160F5A .text C:\WINDOWS\Explorer.EXE[1984] WS2_32.dll!recv 71A5676F 6 Bytes JMP 5F070F5A .text C:\WINDOWS\Explorer.EXE[1984] WS2_32.dll!WSASend 71A568FA 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\Explorer.EXE[1984] WS2_32.dll!WSARecvFrom 71A5F66A 6 Bytes JMP 5F190F5A .text C:\WINDOWS\Explorer.EXE[1984] WS2_32.dll!WSASendTo 71A60AAD 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\Explorer.EXE[1984] WS2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 5F130F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [44, 5F] {INC ESP; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [65, 5F] {POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [47, 5F] {INC EDI; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [68, 5F] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [6B, 5F] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [59, 5F] {POP ECX; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [6E, 5F] {OUTS DX, BYTE [ESI]; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [7A, 5F] {JP 0x61} .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [71, 5F] {JNO 0x61} .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [62, 5F] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [77, 5F] {JA 0x61} .text C:\WINDOWS\RTHDCPL.EXE[2228] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F310F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F340F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] kernel32.dll!CreateRemoteThread 7C8104FC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] kernel32.dll!CreateRemoteThread + 4 7C810500 2 Bytes [3E, 5F] {POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[2228] kernel32.dll!MoveFileWithProgressW 7C820E56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] kernel32.dll!MoveFileWithProgressW + 4 7C820E5A 2 Bytes [41, 5F] {INC ECX; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[2228] kernel32.dll!CopyFileExW 7C82925A 6 Bytes JMP 5F370F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 6 Bytes JMP 5F100F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ADVAPI32.dll!OpenServiceW 77DD6FFD 6 Bytes JMP 5F220F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ADVAPI32.dll!StartServiceA 77DDFB58 6 Bytes JMP 5F250F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ADVAPI32.dll!StartServiceW 77DE3E94 6 Bytes JMP 5F280F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ADVAPI32.dll!ControlService 77DE4A09 6 Bytes JMP 5F130F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ADVAPI32.dll!OpenServiceA 77DE4C66 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ADVAPI32.dll!LsaAddAccountRights 77E0ABF1 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 6 Bytes JMP 5F040F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ADVAPI32.dll!ChangeServiceConfigW 77E27001 6 Bytes JMP 5F070F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] ADVAPI32.dll!ChangeServiceConfig2W + 4 77E2718D 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[2228] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 5F160F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 5F190F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ADVAPI32.dll!DeleteService 77E274B1 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ole32.dll!CoCreateInstanceEx 774EF164 6 Bytes JMP 5F880F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ole32.dll!CoGetClassObject 77505205 6 Bytes JMP 5F850F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ole32.dll!CLSIDFromProgID 77508332 6 Bytes JMP 5F820F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] ole32.dll!CLSIDFromProgIDEx 7754626D 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FB50F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F940F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F910F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!CreateAcceleratorTableW 7E36D9BB 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!CreateAcceleratorTableW + 4 7E36D9BF 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5FB20F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F970F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 5FA90F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!BeginDeferWindowPos 7E37AFB9 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!SetClipboardData 7E380F9E 6 Bytes JMP 5FB80F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5FAC0F5A .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!AttachThreadInput 7E381E52 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!AttachThreadInput + 4 7E381E56 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\WINDOWS\RTHDCPL.EXE[2228] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5FA30F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [65, 5F] {POP EDI} .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 5F] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [68, 5F] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [89, 5F] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [6B, 5F] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [6E, 5F] {OUTS DX, BYTE [ESI]; POP EDI} .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [77, 5F] {JA 0x61} .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [8C, 5F] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [7A, 5F] {JP 0x61} .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [8F, 5F] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [80, 5F] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [83, 5F] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F520F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F5B0F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F550F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] kernel32.dll!CreateRemoteThread 7C8104FC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] kernel32.dll!CreateRemoteThread + 4 7C810500 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] kernel32.dll!MoveFileWithProgressW 7C820E56 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] kernel32.dll!MoveFileWithProgressW + 4 7C820E5A 2 Bytes [62, 5F] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] kernel32.dll!CopyFileExW 7C82925A 6 Bytes JMP 5F580F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FD60F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5FB50F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 5FC70F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5FB20F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!CreateAcceleratorTableW 7E36D9BB 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!CreateAcceleratorTableW + 4 7E36D9BF 2 Bytes [D1, 5F] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5FD30F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5FC10F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5FB80F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 5FCA0F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!BeginDeferWindowPos 7E37AFB9 6 Bytes JMP 5FAF0F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [BF, 5F] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!SetClipboardData 7E380F9E 6 Bytes JMP 5FD90F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5FAC0F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5FCD0F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!AttachThreadInput 7E381E52 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!AttachThreadInput + 4 7E381E56 2 Bytes [BC, 5F] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5FC40F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 6 Bytes JMP 5F310F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ADVAPI32.dll!OpenServiceW 77DD6FFD 6 Bytes JMP 5F430F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ADVAPI32.dll!StartServiceA 77DDFB58 6 Bytes JMP 5F460F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ADVAPI32.dll!StartServiceW 77DE3E94 6 Bytes JMP 5F490F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ADVAPI32.dll!ControlService 77DE4A09 6 Bytes JMP 5F340F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ADVAPI32.dll!OpenServiceA 77DE4C66 6 Bytes JMP 5F400F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ADVAPI32.dll!LsaAddAccountRights 77E0ABF1 6 Bytes JMP 5F4C0F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 5F4F0F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 6 Bytes JMP 5F250F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ADVAPI32.dll!ChangeServiceConfigW 77E27001 6 Bytes JMP 5F280F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 6 Bytes JMP 5F2B0F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 3 Bytes [FF, 25, 1E] .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ADVAPI32.dll!ChangeServiceConfig2W + 4 77E2718D 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 5F370F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ADVAPI32.dll!DeleteService 77E274B1 6 Bytes JMP 5F3D0F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] WS2_32.dll!sendto 71A52F51 6 Bytes JMP 5F100F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] WS2_32.dll!recvfrom 71A52FF7 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] WS2_32.dll!closesocket 71A53E2B 6 Bytes JMP 5F220F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] WS2_32.dll!connect 71A54A07 6 Bytes JMP 5F040F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] WS2_32.dll!send 71A54C27 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] WS2_32.dll!WSARecv 71A54CB5 6 Bytes JMP 5F160F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] WS2_32.dll!recv 71A5676F 6 Bytes JMP 5F070F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] WS2_32.dll!WSASend 71A568FA 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] WS2_32.dll!WSARecvFrom 71A5F66A 6 Bytes JMP 5F190F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] WS2_32.dll!WSASendTo 71A60AAD 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] WS2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 5F130F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ole32.dll!CoCreateInstanceEx 774EF164 6 Bytes JMP 5FA90F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ole32.dll!CoGetClassObject 77505205 6 Bytes JMP 5FA60F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ole32.dll!CLSIDFromProgID 77508332 6 Bytes JMP 5FA30F5A .text C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe[2408] ole32.dll!CLSIDFromProgIDEx 7754626D 6 Bytes JMP 5FA00F5A .text C:\Program Files\HP\HP UT\bin\hppusg.exe[2608] ws2_32.dll!sendto 71A52F51 6 Bytes JMP 5F100F5A .text C:\Program Files\HP\HP UT\bin\hppusg.exe[2608] ws2_32.dll!recvfrom 71A52FF7 6 Bytes JMP 5F0A0F5A .text C:\Program Files\HP\HP UT\bin\hppusg.exe[2608] ws2_32.dll!closesocket 71A53E2B 6 Bytes JMP 5F220F5A .text C:\Program Files\HP\HP UT\bin\hppusg.exe[2608] ws2_32.dll!connect 71A54A07 6 Bytes JMP 5F040F5A .text C:\Program Files\HP\HP UT\bin\hppusg.exe[2608] ws2_32.dll!send 71A54C27 6 Bytes JMP 5F0D0F5A .text C:\Program Files\HP\HP UT\bin\hppusg.exe[2608] ws2_32.dll!WSARecv 71A54CB5 6 Bytes JMP 5F160F5A .text C:\Program Files\HP\HP UT\bin\hppusg.exe[2608] ws2_32.dll!recv 71A5676F 6 Bytes JMP 5F070F5A .text C:\Program Files\HP\HP UT\bin\hppusg.exe[2608] ws2_32.dll!WSASend 71A568FA 6 Bytes JMP 5F1C0F5A .text C:\Program Files\HP\HP UT\bin\hppusg.exe[2608] ws2_32.dll!WSARecvFrom 71A5F66A 6 Bytes JMP 5F190F5A .text C:\Program Files\HP\HP UT\bin\hppusg.exe[2608] ws2_32.dll!WSASendTo 71A60AAD 6 Bytes JMP 5F1F0F5A .text C:\Program Files\HP\HP UT\bin\hppusg.exe[2608] ws2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 5F130F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [44, 5F] {INC ESP; POP EDI} .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [65, 5F] {POP EDI} .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [47, 5F] {INC EDI; POP EDI} .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [68, 5F] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [4D, 5F] {DEC EBP; POP EDI} .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [50, 5F] {PUSH EAX; POP EDI} .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [7D, 5F] {JGE 0x61} .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [6B, 5F] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [59, 5F] {POP ECX; POP EDI} .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [5C, 5F] {POP ESP; POP EDI} .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [6E, 5F] {OUTS DX, BYTE [ESI]; POP EDI} .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [7A, 5F] {JP 0x61} .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [71, 5F] {JNO 0x61} .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [62, 5F] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [74, 5F] {JZ 0x61} .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [77, 5F] {JA 0x61} .text G:\Diagnostyka\59d90jsn.exe[3188] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F310F5A .text G:\Diagnostyka\59d90jsn.exe[3188] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F3A0F5A .text G:\Diagnostyka\59d90jsn.exe[3188] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F340F5A .text G:\Diagnostyka\59d90jsn.exe[3188] kernel32.dll!CreateRemoteThread 7C8104FC 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] kernel32.dll!CreateRemoteThread + 4 7C810500 2 Bytes [3E, 5F] {POP EDI} .text G:\Diagnostyka\59d90jsn.exe[3188] kernel32.dll!MoveFileWithProgressW 7C820E56 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] kernel32.dll!MoveFileWithProgressW + 4 7C820E5A 2 Bytes [41, 5F] {INC ECX; POP EDI} .text G:\Diagnostyka\59d90jsn.exe[3188] kernel32.dll!CopyFileExW 7C82925A 6 Bytes JMP 5F370F5A .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FB50F5A .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F940F5A .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 5FA60F5A .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F910F5A .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!CreateAcceleratorTableW 7E36D9BB 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!CreateAcceleratorTableW + 4 7E36D9BF 2 Bytes [B0, 5F] {MOV AL, 0x5f} .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5FB20F5A .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5FA00F5A .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F970F5A .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 5FA90F5A .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!BeginDeferWindowPos 7E37AFB9 6 Bytes JMP 5F8E0F5A .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!SetClipboardData 7E380F9E 6 Bytes JMP 5FB80F5A .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F8B0F5A .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5FAC0F5A .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!AttachThreadInput 7E381E52 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!AttachThreadInput + 4 7E381E56 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text G:\Diagnostyka\59d90jsn.exe[3188] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5FA30F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 6 Bytes JMP 5F100F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ADVAPI32.dll!OpenServiceW 77DD6FFD 6 Bytes JMP 5F220F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ADVAPI32.dll!StartServiceA 77DDFB58 6 Bytes JMP 5F250F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ADVAPI32.dll!StartServiceW 77DE3E94 6 Bytes JMP 5F280F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ADVAPI32.dll!ControlService 77DE4A09 6 Bytes JMP 5F130F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ADVAPI32.dll!OpenServiceA 77DE4C66 6 Bytes JMP 5F1F0F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ADVAPI32.dll!LsaAddAccountRights 77E0ABF1 6 Bytes JMP 5F2B0F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 5F2E0F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 6 Bytes JMP 5F040F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ADVAPI32.dll!ChangeServiceConfigW 77E27001 6 Bytes JMP 5F070F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 6 Bytes JMP 5F0A0F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 3 Bytes [FF, 25, 1E] .text G:\Diagnostyka\59d90jsn.exe[3188] ADVAPI32.dll!ChangeServiceConfig2W + 4 77E2718D 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text G:\Diagnostyka\59d90jsn.exe[3188] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 5F160F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 5F190F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ADVAPI32.dll!DeleteService 77E274B1 6 Bytes JMP 5F1C0F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ole32.dll!CoCreateInstanceEx 774EF164 6 Bytes JMP 5F880F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ole32.dll!CoGetClassObject 77505205 6 Bytes JMP 5F850F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ole32.dll!CLSIDFromProgID 77508332 6 Bytes JMP 5F820F5A .text G:\Diagnostyka\59d90jsn.exe[3188] ole32.dll!CLSIDFromProgIDEx 7754626D 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3196] WS2_32.dll!sendto 71A52F51 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3196] WS2_32.dll!recvfrom 71A52FF7 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3196] WS2_32.dll!closesocket 71A53E2B 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3196] WS2_32.dll!connect 71A54A07 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3196] WS2_32.dll!send 71A54C27 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3196] WS2_32.dll!WSARecv 71A54CB5 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3196] WS2_32.dll!recv 71A5676F 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3196] WS2_32.dll!WSASend 71A568FA 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3196] WS2_32.dll!WSARecvFrom 71A5F66A 6 Bytes JMP 5F190F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3196] WS2_32.dll!WSASendTo 71A60AAD 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3196] WS2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 5F130F5A .text C:\Program Files\Messenger\msmsgs.exe[3424] WS2_32.dll!sendto 71A52F51 6 Bytes JMP 5F100F5A .text C:\Program Files\Messenger\msmsgs.exe[3424] WS2_32.dll!recvfrom 71A52FF7 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Messenger\msmsgs.exe[3424] WS2_32.dll!closesocket 71A53E2B 6 Bytes JMP 5F220F5A .text C:\Program Files\Messenger\msmsgs.exe[3424] WS2_32.dll!connect 71A54A07 6 Bytes JMP 5F040F5A .text C:\Program Files\Messenger\msmsgs.exe[3424] WS2_32.dll!send 71A54C27 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Messenger\msmsgs.exe[3424] WS2_32.dll!WSARecv 71A54CB5 6 Bytes JMP 5F160F5A .text C:\Program Files\Messenger\msmsgs.exe[3424] WS2_32.dll!recv 71A5676F 6 Bytes JMP 5F070F5A .text C:\Program Files\Messenger\msmsgs.exe[3424] WS2_32.dll!WSASend 71A568FA 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Messenger\msmsgs.exe[3424] WS2_32.dll!WSARecvFrom 71A5F66A 6 Bytes JMP 5F190F5A .text C:\Program Files\Messenger\msmsgs.exe[3424] WS2_32.dll!WSASendTo 71A60AAD 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Messenger\msmsgs.exe[3424] WS2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 5F130F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [65, 5F] {POP EDI} .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 5F] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [68, 5F] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtDeleteFile 7C90D23E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtDeleteFile + 4 7C90D242 2 Bytes [89, 5F] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [6B, 5F] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [6E, 5F] {OUTS DX, BYTE [ESI]; POP EDI} .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtDuplicateObject 7C90D29E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtDuplicateObject + 4 7C90D2A2 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtEnumerateKey 7C90D2CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtEnumerateKey + 4 7C90D2D2 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 2 Bytes [77, 5F] {JA 0x61} .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtLoadDriver 7C90D46E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtLoadDriver + 4 7C90D472 2 Bytes [9E, 5F] {SAHF ; POP EDI} .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [8C, 5F] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtQueryMultipleValueKey 7C90D86E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtQueryMultipleValueKey + 4 7C90D872 2 Bytes [7A, 5F] {JP 0x61} .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtQueryValueKey 7C90D96E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtQueryValueKey + 4 7C90D972 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtReadFile 7C90D9CE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtReadFile + 4 7C90D9D2 2 Bytes [8F, 5F] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [9B, 5F] {WAIT ; POP EDI} .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [92, 5F] {XCHG EDX, EAX; POP EDI} .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [80, 5F] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtUnloadKey 7C90DECE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtUnloadKey + 4 7C90DED2 2 Bytes [83, 5F] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [95, 5F] {XCHG EBP, EAX; POP EDI} .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F520F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] kernel32.dll!CreateFileMappingW 7C80943C 6 Bytes JMP 5F5B0F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] kernel32.dll!MapViewOfFileEx 7C80B936 6 Bytes JMP 5F550F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] kernel32.dll!CreateRemoteThread 7C8104FC 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] kernel32.dll!CreateRemoteThread + 4 7C810500 2 Bytes [5F, 5F] {POP EDI; POP EDI} .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] kernel32.dll!MoveFileWithProgressW 7C820E56 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] kernel32.dll!MoveFileWithProgressW + 4 7C820E5A 2 Bytes [62, 5F] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] kernel32.dll!CopyFileExW 7C82925A 6 Bytes JMP 5F580F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 6 Bytes JMP 5F310F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ADVAPI32.dll!OpenServiceW 77DD6FFD 6 Bytes JMP 5F430F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ADVAPI32.dll!StartServiceA 77DDFB58 6 Bytes JMP 5F460F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ADVAPI32.dll!StartServiceW 77DE3E94 6 Bytes JMP 5F490F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ADVAPI32.dll!ControlService 77DE4A09 6 Bytes JMP 5F340F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ADVAPI32.dll!OpenServiceA 77DE4C66 6 Bytes JMP 5F400F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ADVAPI32.dll!LsaAddAccountRights 77E0ABF1 6 Bytes JMP 5F4C0F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC91 6 Bytes JMP 5F4F0F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 6 Bytes JMP 5F250F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ADVAPI32.dll!ChangeServiceConfigW 77E27001 6 Bytes JMP 5F280F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 6 Bytes JMP 5F2B0F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ADVAPI32.dll!ChangeServiceConfig2W + 4 77E2718D 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 5F370F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 5F3A0F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ADVAPI32.dll!DeleteService 77E274B1 6 Bytes JMP 5F3D0F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FD60F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5FB50F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 5FC70F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5FB20F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!CreateAcceleratorTableW 7E36D9BB 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!CreateAcceleratorTableW + 4 7E36D9BF 2 Bytes [D1, 5F] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5FD30F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5FC10F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5FB80F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 5FCA0F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!BeginDeferWindowPos 7E37AFB9 6 Bytes JMP 5FAF0F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!GetKeyboardState 7E37D226 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!GetKeyboardState + 4 7E37D22A 2 Bytes [BF, 5F] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!SetClipboardData 7E380F9E 6 Bytes JMP 5FD90F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5FAC0F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5FCD0F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!AttachThreadInput 7E381E52 3 Bytes [FF, 25, 1E] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!AttachThreadInput + 4 7E381E56 2 Bytes [BC, 5F] .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5FC40F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ole32.dll!CoCreateInstanceEx 774EF164 6 Bytes JMP 5FA90F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ole32.dll!CoGetClassObject 77505205 6 Bytes JMP 5FA60F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ole32.dll!CLSIDFromProgID 77508332 6 Bytes JMP 5FA30F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] ole32.dll!CLSIDFromProgIDEx 7754626D 6 Bytes JMP 5FA00F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] WS2_32.dll!sendto 71A52F51 6 Bytes JMP 5F100F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] WS2_32.dll!recvfrom 71A52FF7 6 Bytes JMP 5F0A0F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] WS2_32.dll!closesocket 71A53E2B 6 Bytes JMP 5F220F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] WS2_32.dll!connect 71A54A07 6 Bytes JMP 5F040F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] WS2_32.dll!send 71A54C27 6 Bytes JMP 5F0D0F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] WS2_32.dll!WSARecv 71A54CB5 6 Bytes JMP 5F160F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] WS2_32.dll!recv 71A5676F 6 Bytes JMP 5F070F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] WS2_32.dll!WSASend 71A568FA 6 Bytes JMP 5F1C0F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] WS2_32.dll!WSARecvFrom 71A5F66A 6 Bytes JMP 5F190F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] WS2_32.dll!WSASendTo 71A60AAD 6 Bytes JMP 5F1F0F5A .text C:\Program Files\AplusC\uplook\Agent\AnuTest.exe[3512] WS2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 5F130F5A ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs ShlDrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs av5flt.sys Device \FileSystem\Fastfat \FatCdrom ShlDrv51.sys Device \FileSystem\Fastfat \Fat ShlDrv51.sys AttachedDevice \FileSystem\Fastfat \Fat pavdrv51.sys AttachedDevice \FileSystem\Fastfat \Fat av5flt.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5140210900063D11C8EF10054038389C\Usage@MSOfficeDocumentImaging 1117950532 ---- EOF - GMER 2.1 ----