GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-19 02:24:48 Windows 6.1.7601 Service Pack 1 \Device\Harddisk1\DR1 -> \Device\00000063 SAMSUNG_ rev.CP10 298,09GB Running: vgii8zji.exe; Driver: C:\Temp\uwdiqaog.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAllocateVirtualMemory [0x8EC0D464] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAlpcConnectPort [0x8EC0BAC2] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAlpcCreatePort [0x8EC0B594] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwAlpcSendWaitReceivePort [0x8FF93756] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAssignProcessToJobObject [0x8EC0C95E] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwClose [0x8FF8550E] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwConnectPort [0x8EC0B682] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreateFile [0x8EC123A6] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwCreateKey [0x8FF85914] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreatePort [0x8EC0B4A0] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwCreateSection [0x8FF8D2D5] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwCreateThread [0x8FF8DD64] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwCreateThreadEx [0x8FF8DDA2] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwCreateUserProcess [0x8FF8D8DA] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwDebugActiveProcess [0x8FF8CBA8] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwDeleteKey [0x8FF8496B] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwDeleteValueKey [0x8FF84A8F] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwDeviceIoControlFile [0x8FF93C17] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwDuplicateObject [0x8EC0B362] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwEnumerateKey [0x8FF9E327] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwEnumerateValueKey [0x8FF9D232] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwFreeVirtualMemory [0x8FF8CDDB] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwFsControlFile [0x8FF94603] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwInitiatePowerAction [0x8FF9262F] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwLoadDriver [0x8FF92F6B] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwOpenFile [0x8EC12724] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwOpenKey [0x8FF9D42D] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwOpenKeyEx [0x8FF9D658] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwOpenProcess [0x8FF8CE28] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwOpenSection [0x8FF915D7] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwOpenThread [0x8EC0A8DE] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwProtectVirtualMemory [0x8FF8C0F4] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwQueryKey [0x8FF9D886] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwQueryValueKey [0x8FF852A6] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwQueueApcThread [0x8FF8BE93] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwRaiseHardError [0x8FF92668] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwRenameKey [0x8FF85C8D] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwRequestPort [0x8EC0BCE6] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwRequestWaitReplyPort [0x8FF93307] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwRestoreKey [0x8FF8554D] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwResumeThread [0x8EC0B102] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSecureConnectPort [0x8EC0B8A4] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwSetContextThread [0x8FF8C591] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwSetSystemInformation [0x8FF91B8E] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwSetSystemPowerState [0x8FF925F6] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwSetSystemTime [0x8FF925B3] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwSetValueKey [0x8FF84CAA] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwShutdownSystem [0x8FF91A6F] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwSuspendProcess [0x8FF8C516] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwSuspendThread [0x8FF8BED4] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwSystemDebugControl [0x8FF91A9E] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwTerminateJobObject [0x8FF8C32C] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwTerminateProcess [0x8FF8C2ED] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwTerminateThread [0x8FF8C554] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwTestAlert [0x8FF8D070] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwUnloadDriver [0x8EC0C54E] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwUnmapViewOfSection [0x8FF8CD80] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwWriteFile [0x8FF92E05] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwWriteVirtualMemory [0x8FF8C098] Code 8609627C ZwAcceptConnectPort Code 85EB52D4 ZwCreateSymbolicLinkObject Code 85EB5C54 ZwWriteFile Code 85EB5C53 NtWriteFile ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82C82A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CBC212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82CC3488 4 Bytes [64, D4, C0, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82CC3494 8 Bytes [C2, BA, C0, 8E, 94, B5, C0, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 82CC34D8 4 Bytes [56, 37, F9, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82CC34E8 4 Bytes [5E, C9, C0, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 116F 82CC3504 4 Bytes [0E, 55, F8, 8F] .text ... ? C:\Windows\system32\Drivers\PROCEXP152.SYS Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[404] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\csrss.exe[404] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\csrss.exe[404] ntdll.dll!NtImpersonateThread 771D5B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\csrss.exe[404] ntdll.dll!NtImpersonateThread + 4 771D5B1C 2 Bytes [A0, 71] .text C:\Windows\system32\csrss.exe[404] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\csrss.exe[404] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [75, 71] {JNZ 0x73} .text C:\Windows\system32\csrss.exe[404] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\csrss.exe[404] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\csrss.exe[404] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\csrss.exe[404] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [6E, 71] .text C:\Windows\system32\csrss.exe[404] ntdll.dll!NtSetInformationThread 771D66D8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\csrss.exe[404] ntdll.dll!NtSetInformationThread + 4 771D66DC 2 Bytes [9D, 71] .text C:\Windows\system32\csrss.exe[404] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 7198000A .text C:\Windows\system32\csrss.exe[404] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 7195000A .text C:\Windows\system32\csrss.exe[404] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 718C000A .text C:\Windows\system32\csrss.exe[404] kernel32.dll!Wow64DisableWow64FsRedirection 76C4C2F1 6 Bytes JMP 7180000A .text C:\Windows\system32\csrss.exe[404] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7189000A .text C:\Windows\system32\csrss.exe[404] kernel32.dll!FindNextFileW 76C59C5E 6 Bytes JMP 71A7000A .text C:\Windows\system32\csrss.exe[404] kernel32.dll!FindFirstFileW 76C64104 6 Bytes JMP 71AE000A .text C:\Windows\system32\csrss.exe[404] kernel32.dll!FindClose 76C64CDC 6 Bytes JMP 71A4000A .text C:\Windows\system32\csrss.exe[404] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7186000A .text C:\Windows\system32\csrss.exe[404] kernel32.dll!Wow64EnableWow64FsRedirection 76C9AA49 6 Bytes JMP 7183000A .text C:\Windows\system32\csrss.exe[404] kernel32.dll!Wow64RevertWow64FsRedirection 76CA0289 6 Bytes JMP 717D000A .text C:\Windows\system32\csrss.exe[404] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 7192000A .text C:\Windows\system32\csrss.exe[404] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 718F000A .text C:\Windows\system32\csrss.exe[404] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 719B000A .text C:\Windows\system32\wininit.exe[464] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[464] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8E, 71] .text C:\Windows\system32\wininit.exe[464] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[464] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8A, 71] .text C:\Windows\system32\wininit.exe[464] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[464] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [86, 71] .text C:\Windows\system32\wininit.exe[464] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[464] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [83, 71] .text C:\Windows\system32\wininit.exe[464] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[464] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [80, 71] .text C:\Windows\system32\wininit.exe[464] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Windows\system32\wininit.exe[464] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A4000A .text C:\Windows\system32\wininit.exe[464] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A1000A .text C:\Windows\system32\wininit.exe[464] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7198000A .text C:\Windows\system32\wininit.exe[464] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7195000A .text C:\Windows\system32\wininit.exe[464] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7192000A .text C:\Windows\system32\wininit.exe[464] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text C:\Windows\system32\wininit.exe[464] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text C:\Windows\system32\wininit.exe[464] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\Windows\system32\csrss.exe[476] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\csrss.exe[476] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\csrss.exe[476] ntdll.dll!NtImpersonateThread 771D5B18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\csrss.exe[476] ntdll.dll!NtImpersonateThread + 4 771D5B1C 2 Bytes [A0, 71] .text C:\Windows\system32\csrss.exe[476] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\csrss.exe[476] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [75, 71] {JNZ 0x73} .text C:\Windows\system32\csrss.exe[476] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\csrss.exe[476] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\csrss.exe[476] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\csrss.exe[476] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [6E, 71] .text C:\Windows\system32\csrss.exe[476] ntdll.dll!NtSetInformationThread 771D66D8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\csrss.exe[476] ntdll.dll!NtSetInformationThread + 4 771D66DC 2 Bytes [9D, 71] .text C:\Windows\system32\csrss.exe[476] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 7198000A .text C:\Windows\system32\csrss.exe[476] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 7195000A .text C:\Windows\system32\csrss.exe[476] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 718C000A .text C:\Windows\system32\csrss.exe[476] kernel32.dll!Wow64DisableWow64FsRedirection 76C4C2F1 6 Bytes JMP 7180000A .text C:\Windows\system32\csrss.exe[476] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7189000A .text C:\Windows\system32\csrss.exe[476] kernel32.dll!FindNextFileW 76C59C5E 6 Bytes JMP 71A7000A .text C:\Windows\system32\csrss.exe[476] kernel32.dll!FindFirstFileW 76C64104 6 Bytes JMP 71AE000A .text C:\Windows\system32\csrss.exe[476] kernel32.dll!FindClose 76C64CDC 6 Bytes JMP 71A4000A .text C:\Windows\system32\csrss.exe[476] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7186000A .text C:\Windows\system32\csrss.exe[476] kernel32.dll!Wow64EnableWow64FsRedirection 76C9AA49 6 Bytes JMP 7183000A .text C:\Windows\system32\csrss.exe[476] kernel32.dll!Wow64RevertWow64FsRedirection 76CA0289 6 Bytes JMP 717D000A .text C:\Windows\system32\csrss.exe[476] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 7192000A .text C:\Windows\system32\csrss.exe[476] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 718F000A .text C:\Windows\system32\csrss.exe[476] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 719B000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8F, 71] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8B, 71] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [87, 71] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [84, 71] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [81, 71] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AF000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A5000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A2000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] SHELL32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7173000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] SHELL32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 717C000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] SHELL32.dll!SHFileOperationW 75809700 6 Bytes JMP 717F000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] SHELL32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7179000A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[480] SHELL32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7176000A .text C:\Windows\system32\services.exe[512] services.exe 00DF318A 6 Bytes JMP 7175000A .text C:\Windows\system32\services.exe[512] services.exe 00DF34A4 6 Bytes JMP 7172000A .text C:\Windows\system32\services.exe[512] services.exe 00DFB8FB 6 Bytes JMP 7178000A .text C:\Windows\system32\services.exe[512] services.exe 00DFDB0D 6 Bytes JMP 716F000A .text C:\Windows\system32\services.exe[512] services.exe 00E1F49F 6 Bytes JMP 716C000A .text C:\Windows\system32\services.exe[512] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[512] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [88, 71] .text C:\Windows\system32\services.exe[512] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[512] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [84, 71] .text C:\Windows\system32\services.exe[512] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[512] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [80, 71] .text C:\Windows\system32\services.exe[512] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[512] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\services.exe[512] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[512] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\services.exe[512] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Windows\system32\services.exe[512] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 719E000A .text C:\Windows\system32\services.exe[512] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 719B000A .text C:\Windows\system32\services.exe[512] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7192000A .text C:\Windows\system32\services.exe[512] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 718F000A .text C:\Windows\system32\services.exe[512] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 718C000A .text C:\Windows\system32\services.exe[512] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 7198000A .text C:\Windows\system32\services.exe[512] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 7195000A .text C:\Windows\system32\services.exe[512] ADVAPI32.dll!ImpersonateNamedPipeClient 764F3475 6 Bytes JMP 71A4000A .text C:\Windows\system32\services.exe[512] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A1000A .text C:\Windows\system32\services.exe[512] shell32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 715D000A .text C:\Windows\system32\services.exe[512] shell32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 7166000A .text C:\Windows\system32\services.exe[512] shell32.dll!SHFileOperationW 75809700 6 Bytes JMP 7169000A .text C:\Windows\system32\services.exe[512] shell32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7163000A .text C:\Windows\system32\services.exe[512] shell32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7160000A .text C:\Windows\system32\lsass.exe[536] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[536] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [88, 71] .text C:\Windows\system32\lsass.exe[536] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[536] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [84, 71] .text C:\Windows\system32\lsass.exe[536] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[536] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [80, 71] .text C:\Windows\system32\lsass.exe[536] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[536] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\lsass.exe[536] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[536] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsass.exe[536] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 719E000A .text C:\Windows\system32\lsass.exe[536] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 719B000A .text C:\Windows\system32\lsass.exe[536] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7192000A .text C:\Windows\system32\lsass.exe[536] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 718F000A .text C:\Windows\system32\lsass.exe[536] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 718C000A .text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 7198000A .text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 7195000A .text C:\Windows\system32\lsass.exe[536] ADVAPI32.dll!ImpersonateNamedPipeClient 764F3475 6 Bytes JMP 71A4000A .text C:\Windows\system32\lsass.exe[536] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A1000A .text C:\Windows\system32\lsm.exe[544] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[544] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8E, 71] .text C:\Windows\system32\lsm.exe[544] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[544] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8A, 71] .text C:\Windows\system32\lsm.exe[544] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[544] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [86, 71] .text C:\Windows\system32\lsm.exe[544] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[544] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [83, 71] .text C:\Windows\system32\lsm.exe[544] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[544] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [80, 71] .text C:\Windows\system32\lsm.exe[544] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Windows\system32\lsm.exe[544] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A4000A .text C:\Windows\system32\lsm.exe[544] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A1000A .text C:\Windows\system32\lsm.exe[544] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7198000A .text C:\Windows\system32\lsm.exe[544] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7195000A .text C:\Windows\system32\lsm.exe[544] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7192000A .text C:\Windows\system32\lsm.exe[544] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text C:\Windows\system32\lsm.exe[544] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text C:\Windows\system32\lsm.exe[544] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\Windows\system32\winlogon.exe[580] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\winlogon.exe[580] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [88, 71] .text C:\Windows\system32\winlogon.exe[580] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\winlogon.exe[580] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [84, 71] .text C:\Windows\system32\winlogon.exe[580] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\winlogon.exe[580] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [80, 71] .text C:\Windows\system32\winlogon.exe[580] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\winlogon.exe[580] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\winlogon.exe[580] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\winlogon.exe[580] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\winlogon.exe[580] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Windows\system32\winlogon.exe[580] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 719E000A .text C:\Windows\system32\winlogon.exe[580] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 719B000A .text C:\Windows\system32\winlogon.exe[580] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7192000A .text C:\Windows\system32\winlogon.exe[580] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 718F000A .text C:\Windows\system32\winlogon.exe[580] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 718C000A .text C:\Windows\system32\winlogon.exe[580] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 7198000A .text C:\Windows\system32\winlogon.exe[580] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 7195000A .text C:\Windows\system32\winlogon.exe[580] ADVAPI32.dll!ImpersonateNamedPipeClient 764F3475 6 Bytes JMP 71A4000A .text C:\Windows\system32\winlogon.exe[580] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A1000A .text C:\Program Files\Bonjour\mDNSResponder.exe[636] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[636] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8F, 71] .text C:\Program Files\Bonjour\mDNSResponder.exe[636] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[636] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8B, 71] .text C:\Program Files\Bonjour\mDNSResponder.exe[636] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[636] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [87, 71] .text C:\Program Files\Bonjour\mDNSResponder.exe[636] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[636] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [84, 71] .text C:\Program Files\Bonjour\mDNSResponder.exe[636] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Bonjour\mDNSResponder.exe[636] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [81, 71] .text C:\Program Files\Bonjour\mDNSResponder.exe[636] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AF000A .text C:\Program Files\Bonjour\mDNSResponder.exe[636] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A5000A .text C:\Program Files\Bonjour\mDNSResponder.exe[636] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A2000A .text C:\Program Files\Bonjour\mDNSResponder.exe[636] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7199000A .text C:\Program Files\Bonjour\mDNSResponder.exe[636] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7196000A .text C:\Program Files\Bonjour\mDNSResponder.exe[636] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7193000A .text C:\Program Files\Bonjour\mDNSResponder.exe[636] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719F000A .text C:\Program Files\Bonjour\mDNSResponder.exe[636] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719C000A .text C:\Program Files\Bonjour\mDNSResponder.exe[636] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[684] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[684] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [84, 71] .text C:\Windows\system32\svchost.exe[684] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[684] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [80, 71] .text C:\Windows\system32\svchost.exe[684] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[684] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [7C, 71] {JL 0x73} .text C:\Windows\system32\svchost.exe[684] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[684] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [79, 71] {JNS 0x73} .text C:\Windows\system32\svchost.exe[684] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[684] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [76, 71] {JBE 0x73} .text C:\Windows\system32\svchost.exe[684] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Windows\system32\svchost.exe[684] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 7198000A .text C:\Windows\system32\svchost.exe[684] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 7195000A .text C:\Windows\system32\svchost.exe[684] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 718E000A .text C:\Windows\system32\svchost.exe[684] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 718B000A .text C:\Windows\system32\svchost.exe[684] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7188000A .text C:\Windows\system32\svchost.exe[684] RPCRT4.dll!RpcServerRegisterIfEx 76420898 6 Bytes JMP 71A1000A .text C:\Windows\system32\svchost.exe[684] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 71A7000A .text C:\Windows\system32\svchost.exe[684] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 7191000A .text C:\Windows\system32\svchost.exe[684] ADVAPI32.dll!ImpersonateNamedPipeClient 764F3475 6 Bytes JMP 719E000A .text C:\Windows\system32\svchost.exe[684] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 719B000A .text C:\Windows\system32\svchost.exe[684] shell32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7168000A .text C:\Windows\system32\svchost.exe[684] shell32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 716E000A .text C:\Windows\system32\svchost.exe[684] shell32.dll!SHFileOperationW 75809700 6 Bytes JMP 7171000A .text C:\Windows\system32\svchost.exe[684] shell32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 716B000A .text C:\Windows\system32\svchost.exe[684] shell32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7174000A .text C:\Windows\system32\nvvsvc.exe[756] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[756] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [7F, 71] {JG 0x73} .text C:\Windows\system32\nvvsvc.exe[756] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[756] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [7B, 71] {JNP 0x73} .text C:\Windows\system32\nvvsvc.exe[756] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[756] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\nvvsvc.exe[756] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[756] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\nvvsvc.exe[756] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[756] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\nvvsvc.exe[756] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Windows\system32\nvvsvc.exe[756] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A4000A .text C:\Windows\system32\nvvsvc.exe[756] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A1000A .text C:\Windows\system32\nvvsvc.exe[756] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7195000A .text C:\Windows\system32\nvvsvc.exe[756] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7192000A .text C:\Windows\system32\nvvsvc.exe[756] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 718F000A .text C:\Windows\system32\nvvsvc.exe[756] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text C:\Windows\system32\nvvsvc.exe[756] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text C:\Windows\system32\nvvsvc.exe[756] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\Windows\system32\nvvsvc.exe[756] SHELL32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7183000A .text C:\Windows\system32\nvvsvc.exe[756] SHELL32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 718C000A .text C:\Windows\system32\nvvsvc.exe[756] SHELL32.dll!SHFileOperationW 75809700 6 Bytes JMP 7198000A .text C:\Windows\system32\nvvsvc.exe[756] SHELL32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7189000A .text C:\Windows\system32\nvvsvc.exe[756] SHELL32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7186000A .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [85, 71] .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [81, 71] .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [7D, 71] {JGE 0x73} .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[796] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[796] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Windows\system32\svchost.exe[796] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 719B000A .text C:\Windows\system32\svchost.exe[796] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 7198000A .text C:\Windows\system32\svchost.exe[796] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 718F000A .text C:\Windows\system32\svchost.exe[796] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 718C000A .text C:\Windows\system32\svchost.exe[796] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7189000A .text C:\Windows\system32\svchost.exe[796] RPCRT4.dll!RpcServerRegisterIfEx 76420898 6 Bytes JMP 71A4000A .text C:\Windows\system32\svchost.exe[796] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 7195000A .text C:\Windows\system32\svchost.exe[796] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 7192000A .text C:\Windows\system32\svchost.exe[796] ADVAPI32.dll!ImpersonateNamedPipeClient 764F3475 6 Bytes JMP 71A1000A .text C:\Windows\system32\svchost.exe[796] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 719E000A .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [89, 71] .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [85, 71] .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [81, 71] .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [7E, 71] {JLE 0x73} .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [7B, 71] {JNP 0x73} .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AF000A .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1032] RPCRT4.dll!RpcServerRegisterIfEx 76420898 6 Bytes JMP 71A5000A .text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1032] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A2000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!RtlAdjustPrivilege 7719BC4A 6 Bytes JMP 70C5000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtAlpcConnectPort 771D5348 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtAlpcConnectPort + 4 771D534C 2 Bytes [18, 71] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtConnectPort 771D5598 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtConnectPort + 4 771D559C 2 Bytes [1B, 71] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtCreateEvent 771D55E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtCreateEvent + 4 771D55EC 2 Bytes [30, 71] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [F7, 70] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtCreateMutant 771D5688 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtCreateMutant + 4 771D568C 2 Bytes [2A, 71] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtLoadDriver 771D5B98 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtLoadDriver + 4 771D5B9C 2 Bytes [24, 71] {AND AL, 0x71} .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtOpenEvent 771D5CF8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtOpenEvent + 4 771D5CFC 2 Bytes [2D, 71] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [F3, 70] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtOpenMutant 771D5D98 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtOpenMutant + 4 771D5D9C 2 Bytes [27, 71] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [EF, 70] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtQueryDirectoryFile 771D5FD8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtQueryDirectoryFile + 4 771D5FDC 2 Bytes [E0, 70] {LOOPNZ 0x72} .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [EC, 70] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtQueryInformationFile 771D6058 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtQueryInformationFile + 4 771D605C 2 Bytes [E6, 70] {OUT 0x70, AL} .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtQueryVolumeInformationFile 771D62A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtQueryVolumeInformationFile + 4 771D62AC 2 Bytes [E3, 70] {JECXZ 0x72} .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtSecureConnectPort 771D6568 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtSecureConnectPort + 4 771D656C 2 Bytes [1E, 71] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes JMP 752066F1 .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtSetInformationProcess 771D66B8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtSetInformationProcess + 4 771D66BC 2 Bytes [C1, 70] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtUnloadDriver 771D6998 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ntdll.dll!NtUnloadDriver + 4 771D699C 2 Bytes [21, 71] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 713D000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 713A000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] kernel32.dll!RemoveDirectoryW 76C45A7A 6 Bytes JMP 716D000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] kernel32.dll!GetCurrentDirectoryA 76C476BA 6 Bytes JMP 717B000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] kernel32.dll!Wow64DisableWow64FsRedirection 76C4C2F1 6 Bytes JMP 70FE000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] kernel32.dll!CreateFileMappingW 76C5131C 6 Bytes JMP 70C8000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] kernel32.dll!CreateMutexW 76C5349E 6 Bytes JMP 70CB000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] kernel32.dll!DeviceIoControl 76C5BA35 6 Bytes JMP 7104000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] kernel32.dll!GetModuleFileNameA 76C5D80A 6 Bytes JMP 7181000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] kernel32.dll!GetModuleFileNameW 76C5EFE5 6 Bytes JMP 717E000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] kernel32.dll!GetCurrentDirectoryW 76C6B947 6 Bytes JMP 7178000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] kernel32.dll!Wow64EnableWow64FsRedirection 76C9AA49 6 Bytes JMP 7101000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] kernel32.dll!RemoveDirectoryA 76CA01CF 6 Bytes JMP 716A000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] kernel32.dll!Wow64RevertWow64FsRedirection 76CA0289 6 Bytes JMP 70FB000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!RegisterRawInputDevices 76625B52 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!RegisterRawInputDevices + 4 76625B56 2 Bytes [A7, 71] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!GetAsyncKeyState 7662A256 6 Bytes JMP 7193000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!PostThreadMessageA 7662AD09 6 Bytes JMP 7149000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!SendMessageA 7662AD60 6 Bytes JMP 714F000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!PostMessageA 7662B446 6 Bytes JMP 7155000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!SetWindowsHookExW 7662E30C 6 Bytes JMP 719C000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!SendMessageTimeoutW 7662E459 6 Bytes JMP 710A000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!PostThreadMessageW 7662EEFC 6 Bytes JMP 714C000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!ShowWindow 7662F2A9 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!ShowWindow + 4 7662F2AD 2 Bytes [95, 71] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!GetKeyState 76632B4D 6 Bytes JMP 7190000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!SendMessageCallbackW 76632F7B 6 Bytes JMP 715E000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!PostMessageW 7663447B 6 Bytes JMP 7158000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!SendMessageW 76635539 6 Bytes JMP 7152000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!GetKeyboardState 76656946 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!GetKeyboardState + 4 7665694A 2 Bytes [8C, 71] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!SetKeyboardState 7665695A 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!SetKeyboardState + 4 7665695E 2 Bytes [89, 71] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!SetWindowsHookExA 76656D0C 6 Bytes JMP 7199000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!SendMessageTimeoutA 76656DA9 6 Bytes JMP 7107000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!SendInput 76657019 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!SendInput + 4 7665701D 2 Bytes [86, 71] .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!EndTask 7666FD66 6 Bytes JMP 719F000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!keybd_event 7667EC3B 6 Bytes JMP 7184000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] USER32.dll!SendMessageCallbackA 76683E8B 6 Bytes JMP 715B000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 7146000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ADVAPI32.dll!SetNamedSecurityInfoW 764B9F82 6 Bytes JMP 7167000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 7137000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 7134000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] RPCRT4.dll!RpcServerUseProtseqEpExW 76420FC7 6 Bytes JMP 70B3000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] SHELL32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 710D000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] SHELL32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 7116000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] SHELL32.dll!SHFileOperationW 75809700 6 Bytes JMP 7164000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] SHELL32.dll!SHChangeNotifyRegister 758423C1 6 Bytes JMP 71A5000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] SHELL32.dll!SHChangeNotifyDeregister 758476CD 6 Bytes JMP 71A2000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] SHELL32.dll!SHOpenFolderAndSelectItems 759F5332 6 Bytes JMP 71AF000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] SHELL32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7113000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] SHELL32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7110000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ole32.dll!RegisterDragDrop 7566E924 6 Bytes JMP 7143000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ole32.dll!RevokeDragDrop 7566EA05 6 Bytes JMP 7140000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 7161000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] WS2_32.dll!bind 76BD4582 6 Bytes JMP 70B0000A .text C:\Program Files\Admin\BufferZone\BZRPCSS.EXE[1060] WS2_32.dll!listen 76BDB001 6 Bytes JMP 70AD000A .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [89, 71] .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [85, 71] .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [81, 71] .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [7E, 71] {JLE 0x73} .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [7B, 71] {JNP 0x73} .text C:\Windows\System32\svchost.exe[1068] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AF000A .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1068] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1068] RPCRT4.dll!RpcServerRegisterIfEx 76420898 6 Bytes JMP 71A5000A .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1068] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1068] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A2000A .text C:\Windows\System32\svchost.exe[1068] shell32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 716D000A .text C:\Windows\System32\svchost.exe[1068] shell32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 7173000A .text C:\Windows\System32\svchost.exe[1068] shell32.dll!SHFileOperationW 75809700 6 Bytes JMP 7176000A .text C:\Windows\System32\svchost.exe[1068] shell32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7170000A .text C:\Windows\System32\svchost.exe[1068] shell32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7179000A .text C:\Windows\System32\svchost.exe[1100] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1100] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8F, 71] .text C:\Windows\System32\svchost.exe[1100] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1100] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8B, 71] .text C:\Windows\System32\svchost.exe[1100] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1100] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [87, 71] .text C:\Windows\System32\svchost.exe[1100] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1100] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [84, 71] .text C:\Windows\System32\svchost.exe[1100] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1100] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [81, 71] .text C:\Windows\System32\svchost.exe[1100] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AF000A .text C:\Windows\System32\svchost.exe[1100] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A5000A .text C:\Windows\System32\svchost.exe[1100] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A2000A .text C:\Windows\System32\svchost.exe[1100] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1100] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1100] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1100] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1100] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1100] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1100] SHELL32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7173000A .text C:\Windows\System32\svchost.exe[1100] SHELL32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 7176000A .text C:\Windows\System32\svchost.exe[1100] SHELL32.dll!SHFileOperationW 75809700 6 Bytes JMP 7179000A .text C:\Windows\System32\svchost.exe[1100] SHELL32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 717F000A .text C:\Windows\System32\svchost.exe[1100] SHELL32.dll!ShellExecuteA 759F7715 6 Bytes JMP 717C000A .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [89, 71] .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [85, 71] .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [81, 71] .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [7E, 71] {JLE 0x73} .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [7B, 71] {JNP 0x73} .text C:\Windows\system32\svchost.exe[1144] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AF000A .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1144] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1144] RPCRT4.dll!RpcServerRegisterIfEx 76420898 6 Bytes JMP 71A5000A .text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1144] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1144] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A2000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!RtlAdjustPrivilege 7719BC4A 6 Bytes JMP 70C5000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtAlpcConnectPort 771D5348 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtAlpcConnectPort + 4 771D534C 2 Bytes [18, 71] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtConnectPort 771D5598 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtConnectPort + 4 771D559C 2 Bytes [1B, 71] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtCreateEvent 771D55E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtCreateEvent + 4 771D55EC 2 Bytes [30, 71] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [F7, 70] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtCreateMutant 771D5688 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtCreateMutant + 4 771D568C 2 Bytes [2A, 71] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtLoadDriver 771D5B98 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtLoadDriver + 4 771D5B9C 2 Bytes [24, 71] {AND AL, 0x71} .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtOpenEvent 771D5CF8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtOpenEvent + 4 771D5CFC 2 Bytes [2D, 71] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [F3, 70] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtOpenMutant 771D5D98 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtOpenMutant + 4 771D5D9C 2 Bytes [27, 71] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [EF, 70] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtQueryDirectoryFile 771D5FD8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtQueryDirectoryFile + 4 771D5FDC 2 Bytes [E0, 70] {LOOPNZ 0x72} .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [EC, 70] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtQueryInformationFile 771D6058 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtQueryInformationFile + 4 771D605C 2 Bytes [E6, 70] {OUT 0x70, AL} .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtQueryVolumeInformationFile 771D62A8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtQueryVolumeInformationFile + 4 771D62AC 2 Bytes [E3, 70] {JECXZ 0x72} .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtSecureConnectPort 771D6568 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtSecureConnectPort + 4 771D656C 2 Bytes [1E, 71] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes JMP 752066F1 .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtSetInformationProcess 771D66B8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtSetInformationProcess + 4 771D66BC 2 Bytes [C1, 70] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtUnloadDriver 771D6998 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ntdll.dll!NtUnloadDriver + 4 771D699C 2 Bytes [21, 71] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 713D000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 713A000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] kernel32.dll!RemoveDirectoryW 76C45A7A 6 Bytes JMP 716D000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] kernel32.dll!GetCurrentDirectoryA 76C476BA 6 Bytes JMP 717B000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] kernel32.dll!Wow64DisableWow64FsRedirection 76C4C2F1 6 Bytes JMP 70FE000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] kernel32.dll!CreateFileMappingW 76C5131C 6 Bytes JMP 70C8000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] kernel32.dll!CreateMutexW 76C5349E 6 Bytes JMP 70CB000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] kernel32.dll!DeviceIoControl 76C5BA35 6 Bytes JMP 7104000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] kernel32.dll!GetModuleFileNameA 76C5D80A 6 Bytes JMP 7181000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] kernel32.dll!GetModuleFileNameW 76C5EFE5 6 Bytes JMP 717E000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] kernel32.dll!GetCurrentDirectoryW 76C6B947 6 Bytes JMP 7178000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] kernel32.dll!Wow64EnableWow64FsRedirection 76C9AA49 6 Bytes JMP 7101000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] kernel32.dll!RemoveDirectoryA 76CA01CF 6 Bytes JMP 716A000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] kernel32.dll!Wow64RevertWow64FsRedirection 76CA0289 6 Bytes JMP 70FB000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!RegisterRawInputDevices 76625B52 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!RegisterRawInputDevices + 4 76625B56 2 Bytes [A7, 71] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!GetAsyncKeyState 7662A256 6 Bytes JMP 7193000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!PostThreadMessageA 7662AD09 6 Bytes JMP 7149000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!SendMessageA 7662AD60 6 Bytes JMP 714F000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!PostMessageA 7662B446 6 Bytes JMP 7155000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!SetWindowsHookExW 7662E30C 6 Bytes JMP 719C000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!SendMessageTimeoutW 7662E459 6 Bytes JMP 710A000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!PostThreadMessageW 7662EEFC 6 Bytes JMP 714C000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!ShowWindow 7662F2A9 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!ShowWindow + 4 7662F2AD 2 Bytes [95, 71] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!GetKeyState 76632B4D 6 Bytes JMP 7190000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!SendMessageCallbackW 76632F7B 6 Bytes JMP 715E000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!PostMessageW 7663447B 6 Bytes JMP 7158000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!SendMessageW 76635539 6 Bytes JMP 7152000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!GetKeyboardState 76656946 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!GetKeyboardState + 4 7665694A 2 Bytes [8C, 71] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!SetKeyboardState 7665695A 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!SetKeyboardState + 4 7665695E 2 Bytes [89, 71] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!SetWindowsHookExA 76656D0C 6 Bytes JMP 7199000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!SendMessageTimeoutA 76656DA9 6 Bytes JMP 7107000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!SendInput 76657019 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!SendInput + 4 7665701D 2 Bytes [86, 71] .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!EndTask 7666FD66 6 Bytes JMP 719F000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!keybd_event 7667EC3B 6 Bytes JMP 7184000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] USER32.dll!SendMessageCallbackA 76683E8B 6 Bytes JMP 715B000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 7146000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ADVAPI32.dll!SetNamedSecurityInfoW 764B9F82 6 Bytes JMP 7167000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 7137000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 7134000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] RPCRT4.dll!RpcServerUseProtseqEpExW 76420FC7 6 Bytes JMP 70B9000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] RPCRT4.dll!I_RpcBindingInqLocalClientPID 76431F89 6 Bytes JMP 70B6000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] SHELL32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 710D000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] SHELL32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 7116000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] SHELL32.dll!SHFileOperationW 75809700 6 Bytes JMP 7164000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] SHELL32.dll!SHChangeNotifyRegister 758423C1 6 Bytes JMP 71A5000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] SHELL32.dll!SHChangeNotifyDeregister 758476CD 6 Bytes JMP 71A2000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] SHELL32.dll!SHOpenFolderAndSelectItems 759F5332 6 Bytes JMP 71AF000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] SHELL32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7113000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] SHELL32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7110000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ole32.dll!RegisterDragDrop 7566E924 6 Bytes JMP 7143000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ole32.dll!RevokeDragDrop 7566EA05 6 Bytes JMP 7140000A .text C:\Program Files\Admin\BufferZone\BZDCOMLAUNCH.EXE[1168] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 7161000A .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [86, 71] .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [82, 71] .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [7E, 71] {JLE 0x73} .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [7B, 71] {JNP 0x73} .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [78, 71] {JS 0x73} .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AF000A .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1184] RPCRT4.dll!RpcServerRegisterIfEx 76420898 6 Bytes JMP 71A5000A .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!ImpersonateNamedPipeClient 764F3475 6 Bytes JMP 71A2000A .text C:\Windows\system32\svchost.exe[1184] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1184] SHELL32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 716A000A .text C:\Windows\system32\svchost.exe[1184] SHELL32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 7176000A .text C:\Windows\system32\svchost.exe[1184] SHELL32.dll!SHFileOperationW 75809700 6 Bytes JMP 716D000A .text C:\Windows\system32\svchost.exe[1184] SHELL32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7170000A .text C:\Windows\system32\svchost.exe[1184] SHELL32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7173000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ntdll.dll!NtAcceptConnectPort 771D51E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ntdll.dll!NtAcceptConnectPort + 4 771D51EC 2 Bytes [32, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8E, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ntdll.dll!NtCreateProcess 771D56D8 5 Bytes JMP 026A2DB0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ntdll.dll!NtCreateProcessEx 771D56E8 5 Bytes JMP 026A2D20 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ntdll.dll!NtCreateSymbolicLinkObject 771D5748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ntdll.dll!NtCreateSymbolicLinkObject + 4 771D574C 2 Bytes [35, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8A, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [86, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [83, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [80, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 026A5780 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 026A56E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] kernel32.dll!CopyFileW 76C46C07 5 Bytes JMP 026A3630 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 026A3400 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] kernel32.dll!LoadLibraryExA 76C54576 5 Bytes JMP 026A3900 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] kernel32.dll!LoadLibraryExW 76C55189 5 Bytes JMP 026A3A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] kernel32.dll!MoveFileWithProgressW 76C58E9C 5 Bytes JMP 026D2CD0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7195000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] kernel32.dll!LoadLibraryA 76C5DD15 6 Bytes JMP 026A36F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] kernel32.dll!LoadLibraryW 76C5EFF2 6 Bytes JMP 026A3880 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] kernel32.dll!CreateProcessInternalW 76C60852 5 Bytes JMP 026A40E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] kernel32.dll!CreateProcessInternalA 76C6C954 5 Bytes JMP 026A44E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] kernel32.dll!CopyFileA 76C76E12 5 Bytes JMP 026A34C0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7192000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] kernel32.dll!CopyFileExA 76C9D231 5 Bytes JMP 026A3280 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] kernel32.dll!WinExec + 5 76C9F233 6 Bytes JMP 026A3EC0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] advapi32.DLL!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] advapi32.DLL!RegSetValueExA 764C1433 5 Bytes JMP 026A6FA0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] advapi32.DLL!RegQueryValueExW 764C462D 5 Bytes JMP 026A53F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] advapi32.DLL!RegQueryValueExA 764C486F 5 Bytes JMP 026A5030 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] advapi32.DLL!CreateServiceW 764D70C4 6 Bytes JMP 7151000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] advapi32.DLL!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] advapi32.DLL!CreateServiceA 764F3264 6 Bytes JMP 7154000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] advapi32.DLL!InitiateSystemShutdownW 7650DC55 6 Bytes JMP 7163000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] advapi32.DLL!InitiateSystemShutdownExW 7650DD22 6 Bytes JMP 715D000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] advapi32.DLL!InitiateSystemShutdownA 7650DDF7 6 Bytes JMP 7166000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] advapi32.DLL!InitiateSystemShutdownExA 7650DE9E 6 Bytes JMP 7160000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] user32.DLL!RegisterHotKey 7662AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[1264] user32.DLL!RegisterHotKey + 4 7662AA1D 2 Bytes [4A, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[1264] user32.DLL!ExitWindowsEx 766706C7 6 Bytes JMP 7169000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] user32.DLL!DdeClientTransaction 7668323C 6 Bytes JMP 714E000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] GDI32.dll!DeleteDC 77146EAA 6 Bytes JMP 7142000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 713F000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] GDI32.dll!CreateDCA 7714CCA9 6 Bytes JMP 7148000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] GDI32.dll!CreateDCW 7714CF79 6 Bytes JMP 7145000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] shlwapi.DLL!SHRegGetUSValueW 76B8252D 5 Bytes JMP 026A4E90 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ole32.dll!CoGetClassObject 756854AD 5 Bytes JMP 026D2E40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] shell32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7172000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] shell32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 717B000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] shell32.dll!SHFileOperationW 75809700 6 Bytes JMP 026D2DF0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] shell32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 026A46D0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] shell32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7175000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WS2_32.dll!ioctlsocket 76BD3084 6 Bytes JMP 7121000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WS2_32.dll!sendto 76BD34B5 6 Bytes JMP 7127000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WS2_32.dll!closesocket 76BD3918 6 Bytes JMP 026D2B00 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WS2_32.dll!socket 76BD3EB8 6 Bytes JMP 716F000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WS2_32.dll!WSASend 76BD4406 5 Bytes JMP 026A1650 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WS2_32.dll!select 76BD6989 6 Bytes JMP 7124000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WS2_32.dll!recv 76BD6B0E 6 Bytes JMP 026D2AD0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WS2_32.dll!connect 76BD6BDD 6 Bytes JMP 712D000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WS2_32.dll!send 76BD6F01 5 Bytes JMP 026A1470 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WS2_32.dll!WSARecv 76BD7089 6 Bytes JMP 026D2A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WS2_32.dll!WSAGetOverlappedResult 76BD7489 6 Bytes JMP 026D2A40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WS2_32.dll!WSAAsyncSelect 76BEB014 6 Bytes JMP 711E000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] IPHLPAPI.DLL!IcmpSendEcho2Ex 7250843C 6 Bytes JMP 7157000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] IPHLPAPI.DLL!IcmpSendEcho2 7250873B 6 Bytes JMP 715A000A .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WININET.dll!HttpOpenRequestW 76D19A50 5 Bytes JMP 026A2F70 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WININET.dll!InternetConnectW 76D1C8E0 5 Bytes JMP 026A3010 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WININET.dll!HttpOpenRequestA 76D9A450 5 Bytes JMP 026A2E40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WININET.dll!InternetOpenUrlA 76DE9610 3 Bytes JMP 026A30B0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WININET.dll!InternetOpenUrlA + 4 76DE9614 1 Byte [8B] .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WININET.dll!InternetOpenUrlW 76DEA0D0 3 Bytes JMP 026A31E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1264] WININET.dll!InternetOpenUrlW + 4 76DEA0D4 1 Byte [8B] .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [80, 71] .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [7C, 71] {JL 0x73} .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [78, 71] {JS 0x73} .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [75, 71] {JNZ 0x73} .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [72, 71] {JB 0x73} .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AF000A .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A5000A .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A2000A .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7196000A .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7193000A .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7190000A .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] advapi32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719F000A .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] advapi32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719C000A .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A8000A .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] shell32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7184000A .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] shell32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 718D000A .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] shell32.dll!SHFileOperationW 75809700 6 Bytes JMP 7199000A .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] shell32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 718A000A .text C:\Program Files\Security\Online Armor\OAcat.exe[1504] shell32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8F, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8B, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [87, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [84, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [81, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AF000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A5000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A2000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] SHELL32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7173000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] SHELL32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 717C000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] SHELL32.dll!SHFileOperationW 75809700 6 Bytes JMP 717F000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] SHELL32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7179000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1512] SHELL32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7176000A .text C:\Windows\system32\nvvsvc.exe[1520] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1520] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8F, 71] .text C:\Windows\system32\nvvsvc.exe[1520] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1520] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8B, 71] .text C:\Windows\system32\nvvsvc.exe[1520] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1520] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [87, 71] .text C:\Windows\system32\nvvsvc.exe[1520] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1520] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [84, 71] .text C:\Windows\system32\nvvsvc.exe[1520] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1520] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [81, 71] .text C:\Windows\system32\nvvsvc.exe[1520] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AF000A .text C:\Windows\system32\nvvsvc.exe[1520] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A5000A .text C:\Windows\system32\nvvsvc.exe[1520] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A2000A .text C:\Windows\system32\nvvsvc.exe[1520] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7199000A .text C:\Windows\system32\nvvsvc.exe[1520] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7196000A .text C:\Windows\system32\nvvsvc.exe[1520] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7193000A .text C:\Windows\system32\nvvsvc.exe[1520] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719F000A .text C:\Windows\system32\nvvsvc.exe[1520] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719C000A .text C:\Windows\system32\nvvsvc.exe[1520] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A8000A .text C:\Windows\system32\nvvsvc.exe[1520] SHELL32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7173000A .text C:\Windows\system32\nvvsvc.exe[1520] SHELL32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 717C000A .text C:\Windows\system32\nvvsvc.exe[1520] SHELL32.dll!SHFileOperationW 75809700 6 Bytes JMP 717F000A .text C:\Windows\system32\nvvsvc.exe[1520] SHELL32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7179000A .text C:\Windows\system32\nvvsvc.exe[1520] SHELL32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7176000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] ntdll.dll!NtAcceptConnectPort 771D51E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] ntdll.dll!NtAcceptConnectPort + 4 771D51EC 2 Bytes [5F, 71] .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] ntdll.dll!NtCreateSymbolicLinkObject 771D5748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] ntdll.dll!NtCreateSymbolicLinkObject + 4 771D574C 2 Bytes [62, 71] .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A5000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A8000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] kernel32.dll!LoadLibraryA 76C5DD15 6 Bytes JMP 7169000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] kernel32.dll!LoadLibraryW 76C5EFF2 6 Bytes JMP 7166000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] user32.dll!RegisterHotKey 7662AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] user32.dll!RegisterHotKey + 4 7662AA1D 2 Bytes [83, 71] .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] user32.dll!ExitWindowsEx 766706C7 6 Bytes JMP 71A2000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] user32.dll!DdeClientTransaction 7668323C 6 Bytes JMP 7187000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] GDI32.dll!DeleteDC 77146EAA 6 Bytes JMP 717B000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 7178000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] GDI32.dll!CreateDCA 7714CCA9 6 Bytes JMP 7181000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] GDI32.dll!CreateDCW 7714CF79 6 Bytes JMP 717E000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] advapi32.dll!CreateServiceW 764D70C4 6 Bytes JMP 718A000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] advapi32.dll!CreateServiceA 764F3264 6 Bytes JMP 718D000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] advapi32.dll!InitiateSystemShutdownW 7650DC55 6 Bytes JMP 719C000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] advapi32.dll!InitiateSystemShutdownExW 7650DD22 6 Bytes JMP 7196000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] advapi32.dll!InitiateSystemShutdownA 7650DDF7 6 Bytes JMP 719F000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] advapi32.dll!InitiateSystemShutdownExA 7650DE9E 6 Bytes JMP 7199000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] WS2_32.dll!socket 76BD3EB8 6 Bytes JMP 71AF000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] IPHLPAPI.DLL!IcmpSendEcho2Ex 7250843C 6 Bytes JMP 7190000A .text C:\Program Files\Admin\BufferZone\ClientGUI.exe[1528] IPHLPAPI.DLL!IcmpSendEcho2 7250873B 6 Bytes JMP 7193000A .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [80, 71] .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [7C, 71] {JL 0x73} .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [78, 71] {JS 0x73} .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [75, 71] {JNZ 0x73} .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [72, 71] {JB 0x73} .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AF000A .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A5000A .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A2000A .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7196000A .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7193000A .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7190000A .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719F000A .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719C000A .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] SHELL32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7184000A .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] SHELL32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 718D000A .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] SHELL32.dll!SHFileOperationW 75809700 6 Bytes JMP 7199000A .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] SHELL32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 718A000A .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] SHELL32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7187000A .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1800] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A8000A .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8F, 71] .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8B, 71] .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [87, 71] .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [84, 71] .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [81, 71] .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AF000A .text C:\Windows\System32\spoolsv.exe[1928] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A5000A .text C:\Windows\System32\spoolsv.exe[1928] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A2000A .text C:\Windows\System32\spoolsv.exe[1928] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7199000A .text C:\Windows\System32\spoolsv.exe[1928] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7196000A .text C:\Windows\System32\spoolsv.exe[1928] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7193000A .text C:\Windows\System32\spoolsv.exe[1928] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719F000A .text C:\Windows\System32\spoolsv.exe[1928] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719C000A .text C:\Windows\System32\spoolsv.exe[1928] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1996] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1996] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8F, 71] .text C:\Windows\system32\svchost.exe[1996] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1996] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8B, 71] .text C:\Windows\system32\svchost.exe[1996] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1996] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [87, 71] .text C:\Windows\system32\svchost.exe[1996] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1996] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [84, 71] .text C:\Windows\system32\svchost.exe[1996] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1996] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [81, 71] .text C:\Windows\system32\svchost.exe[1996] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AF000A .text C:\Windows\system32\svchost.exe[1996] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A5000A .text C:\Windows\system32\svchost.exe[1996] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A2000A .text C:\Windows\system32\svchost.exe[1996] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1996] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1996] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1996] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1996] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1996] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskhost.exe[2244] ntdll.dll!NtAcceptConnectPort 771D51E8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2244] ntdll.dll!NtAcceptConnectPort + 4 771D51EC 2 Bytes [32, 71] .text C:\Windows\system32\taskhost.exe[2244] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2244] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8E, 71] .text C:\Windows\system32\taskhost.exe[2244] ntdll.dll!NtCreateSymbolicLinkObject 771D5748 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2244] ntdll.dll!NtCreateSymbolicLinkObject + 4 771D574C 2 Bytes [35, 71] .text C:\Windows\system32\taskhost.exe[2244] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2244] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8A, 71] .text C:\Windows\system32\taskhost.exe[2244] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2244] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [86, 71] .text C:\Windows\system32\taskhost.exe[2244] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2244] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [83, 71] .text C:\Windows\system32\taskhost.exe[2244] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2244] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [80, 71] .text C:\Windows\system32\taskhost.exe[2244] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Windows\system32\taskhost.exe[2244] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A4000A .text C:\Windows\system32\taskhost.exe[2244] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A1000A .text C:\Windows\system32\taskhost.exe[2244] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7198000A .text C:\Windows\system32\taskhost.exe[2244] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7195000A .text C:\Windows\system32\taskhost.exe[2244] kernel32.dll!LoadLibraryA 76C5DD15 6 Bytes JMP 713C000A .text C:\Windows\system32\taskhost.exe[2244] kernel32.dll!LoadLibraryW 76C5EFF2 6 Bytes JMP 7139000A .text C:\Windows\system32\taskhost.exe[2244] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7192000A .text C:\Windows\system32\taskhost.exe[2244] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\Windows\system32\taskhost.exe[2244] GDI32.dll!DeleteDC 77146EAA 6 Bytes JMP 7142000A .text C:\Windows\system32\taskhost.exe[2244] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 713F000A .text C:\Windows\system32\taskhost.exe[2244] GDI32.dll!CreateDCA 7714CCA9 6 Bytes JMP 7148000A .text C:\Windows\system32\taskhost.exe[2244] GDI32.dll!CreateDCW 7714CF79 6 Bytes JMP 7145000A .text C:\Windows\system32\taskhost.exe[2244] USER32.dll!RegisterHotKey 7662AA19 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2244] USER32.dll!RegisterHotKey + 4 7662AA1D 2 Bytes [4A, 71] .text C:\Windows\system32\taskhost.exe[2244] USER32.dll!ExitWindowsEx 766706C7 6 Bytes JMP 7169000A .text C:\Windows\system32\taskhost.exe[2244] USER32.dll!DdeClientTransaction 7668323C 6 Bytes JMP 714E000A .text C:\Windows\system32\taskhost.exe[2244] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text C:\Windows\system32\taskhost.exe[2244] ADVAPI32.dll!CreateServiceW 764D70C4 6 Bytes JMP 7151000A .text C:\Windows\system32\taskhost.exe[2244] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text C:\Windows\system32\taskhost.exe[2244] ADVAPI32.dll!CreateServiceA 764F3264 6 Bytes JMP 7154000A .text C:\Windows\system32\taskhost.exe[2244] ADVAPI32.dll!InitiateSystemShutdownW 7650DC55 6 Bytes JMP 7163000A .text C:\Windows\system32\taskhost.exe[2244] ADVAPI32.dll!InitiateSystemShutdownExW 7650DD22 6 Bytes JMP 715D000A .text C:\Windows\system32\taskhost.exe[2244] ADVAPI32.dll!InitiateSystemShutdownA 7650DDF7 6 Bytes JMP 7166000A .text C:\Windows\system32\taskhost.exe[2244] ADVAPI32.dll!InitiateSystemShutdownExA 7650DE9E 6 Bytes JMP 7160000A .text C:\Windows\system32\taskhost.exe[2244] shell32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7172000A .text C:\Windows\system32\taskhost.exe[2244] shell32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 717B000A .text C:\Windows\system32\taskhost.exe[2244] shell32.dll!SHFileOperationW 75809700 6 Bytes JMP 717E000A .text C:\Windows\system32\taskhost.exe[2244] shell32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7178000A .text C:\Windows\system32\taskhost.exe[2244] shell32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7175000A .text C:\Windows\system32\taskhost.exe[2244] WS2_32.dll!socket 76BD3EB8 6 Bytes JMP 716F000A .text C:\Windows\system32\taskhost.exe[2244] IPHLPAPI.DLL!IcmpSendEcho2Ex 7250843C 6 Bytes JMP 7157000A .text C:\Windows\system32\taskhost.exe[2244] IPHLPAPI.DLL!IcmpSendEcho2 7250873B 6 Bytes JMP 715A000A .text C:\Windows\system32\SearchIndexer.exe[2256] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2256] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8F, 71] .text C:\Windows\system32\SearchIndexer.exe[2256] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2256] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8B, 71] .text C:\Windows\system32\SearchIndexer.exe[2256] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2256] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [87, 71] .text C:\Windows\system32\SearchIndexer.exe[2256] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2256] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [84, 71] .text C:\Windows\system32\SearchIndexer.exe[2256] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2256] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [81, 71] .text C:\Windows\system32\SearchIndexer.exe[2256] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AF000A .text C:\Windows\system32\SearchIndexer.exe[2256] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A5000A .text C:\Windows\system32\SearchIndexer.exe[2256] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A2000A .text C:\Windows\system32\SearchIndexer.exe[2256] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7199000A .text C:\Windows\system32\SearchIndexer.exe[2256] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchIndexer.exe[2256] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchIndexer.exe[2256] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719F000A .text C:\Windows\system32\SearchIndexer.exe[2256] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchIndexer.exe[2256] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchIndexer.exe[2256] SHELL32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7173000A .text C:\Windows\system32\SearchIndexer.exe[2256] SHELL32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 717C000A .text C:\Windows\system32\SearchIndexer.exe[2256] SHELL32.dll!SHFileOperationW 75809700 6 Bytes JMP 717F000A .text C:\Windows\system32\SearchIndexer.exe[2256] SHELL32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7179000A .text C:\Windows\system32\SearchIndexer.exe[2256] SHELL32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7176000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ntdll.dll!NtAcceptConnectPort 771D51E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ntdll.dll!NtAcceptConnectPort + 4 771D51EC 2 Bytes [32, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8E, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ntdll.dll!NtCreateProcess 771D56D8 5 Bytes JMP 02632DB0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ntdll.dll!NtCreateProcessEx 771D56E8 5 Bytes JMP 02632D20 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ntdll.dll!NtCreateSymbolicLinkObject 771D5748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ntdll.dll!NtCreateSymbolicLinkObject + 4 771D574C 2 Bytes [35, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8A, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [86, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [83, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [80, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 02635780 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 026356E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] kernel32.dll!CopyFileW 76C46C07 5 Bytes JMP 02633630 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 02633400 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] kernel32.dll!LoadLibraryExA 76C54576 5 Bytes JMP 02633900 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] kernel32.dll!LoadLibraryExW 76C55189 5 Bytes JMP 02633A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] kernel32.dll!MoveFileWithProgressW 76C58E9C 5 Bytes JMP 02662CD0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7195000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] kernel32.dll!LoadLibraryA 76C5DD15 6 Bytes JMP 026336F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] kernel32.dll!LoadLibraryW 76C5EFF2 6 Bytes JMP 02633880 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] kernel32.dll!CreateProcessInternalW 76C60852 5 Bytes JMP 026340E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] kernel32.dll!CreateProcessInternalA 76C6C954 5 Bytes JMP 026344E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] kernel32.dll!CopyFileA 76C76E12 5 Bytes JMP 026334C0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7192000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] kernel32.dll!CopyFileExA 76C9D231 5 Bytes JMP 02633280 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] kernel32.dll!WinExec + 5 76C9F233 6 Bytes JMP 02633EC0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] advapi32.DLL!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] advapi32.DLL!RegSetValueExA 764C1433 5 Bytes JMP 02636FA0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] advapi32.DLL!RegQueryValueExW 764C462D 5 Bytes JMP 026353F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] advapi32.DLL!RegQueryValueExA 764C486F 5 Bytes JMP 02635030 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] advapi32.DLL!CreateServiceW 764D70C4 6 Bytes JMP 7151000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] advapi32.DLL!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] advapi32.DLL!CreateServiceA 764F3264 6 Bytes JMP 7154000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] advapi32.DLL!InitiateSystemShutdownW 7650DC55 6 Bytes JMP 7163000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] advapi32.DLL!InitiateSystemShutdownExW 7650DD22 6 Bytes JMP 715D000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] advapi32.DLL!InitiateSystemShutdownA 7650DDF7 6 Bytes JMP 7166000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] advapi32.DLL!InitiateSystemShutdownExA 7650DE9E 6 Bytes JMP 7160000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] user32.DLL!RegisterHotKey 7662AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[2516] user32.DLL!RegisterHotKey + 4 7662AA1D 2 Bytes [4A, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[2516] user32.DLL!ExitWindowsEx 766706C7 6 Bytes JMP 7169000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] user32.DLL!DdeClientTransaction 7668323C 6 Bytes JMP 714E000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] GDI32.dll!DeleteDC 77146EAA 6 Bytes JMP 7142000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 713F000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] GDI32.dll!CreateDCA 7714CCA9 6 Bytes JMP 7148000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] GDI32.dll!CreateDCW 7714CF79 6 Bytes JMP 7145000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] shlwapi.DLL!SHRegGetUSValueW 76B8252D 5 Bytes JMP 02634E90 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ole32.dll!CoGetClassObject 756854AD 5 Bytes JMP 02662E40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] shell32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7172000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] shell32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 717B000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] shell32.dll!SHFileOperationW 75809700 6 Bytes JMP 02662DF0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] shell32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 026346D0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] shell32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7175000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] WS2_32.dll!ioctlsocket 76BD3084 6 Bytes JMP 711E000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] WS2_32.dll!sendto 76BD34B5 6 Bytes JMP 7124000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] WS2_32.dll!closesocket 76BD3918 6 Bytes JMP 02662B00 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] WS2_32.dll!socket 76BD3EB8 6 Bytes JMP 716F000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] WS2_32.dll!WSASend 76BD4406 5 Bytes JMP 02631650 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] WS2_32.dll!select 76BD6989 6 Bytes JMP 7121000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] WS2_32.dll!recv 76BD6B0E 6 Bytes JMP 02662AD0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] WS2_32.dll!connect 76BD6BDD 6 Bytes JMP 712D000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] WS2_32.dll!send 76BD6F01 6 Bytes JMP 02631470 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] WS2_32.dll!WSARecv 76BD7089 6 Bytes JMP 02662A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] WS2_32.dll!WSAGetOverlappedResult 76BD7489 6 Bytes JMP 02662A40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] WS2_32.dll!WSAAsyncSelect 76BEB014 6 Bytes JMP 711B000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] IPHLPAPI.DLL!IcmpSendEcho2Ex 7250843C 6 Bytes JMP 7157000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] IPHLPAPI.DLL!IcmpSendEcho2 7250873B 6 Bytes JMP 715A000A .text C:\Program Files\Internet Explorer\iexplore.exe[2516] WININET.dll!HttpOpenRequestW 76D19A50 5 Bytes JMP 02632F70 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] WININET.dll!InternetConnectW 76D1C8E0 5 Bytes JMP 02633010 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] WININET.dll!HttpOpenRequestA 76D9A450 5 Bytes JMP 02632E40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] WININET.dll!InternetOpenUrlA 76DE9610 5 Bytes JMP 026330B0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2516] WININET.dll!InternetOpenUrlW 76DEA0D0 5 Bytes JMP 026331E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ntdll.dll!NtAcceptConnectPort 771D51E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ntdll.dll!NtAcceptConnectPort + 4 771D51EC 2 Bytes [32, 71] .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8E, 71] .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ntdll.dll!NtCreateSymbolicLinkObject 771D5748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ntdll.dll!NtCreateSymbolicLinkObject + 4 771D574C 2 Bytes [35, 71] .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8A, 71] .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [86, 71] .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [83, 71] .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [80, 71] .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A4000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A1000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7198000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7195000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] kernel32.dll!LoadLibraryA 76C5DD15 6 Bytes JMP 713C000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] kernel32.dll!LoadLibraryW 76C5EFF2 6 Bytes JMP 7139000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7192000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ADVAPI32.dll!CreateServiceW 764D70C4 6 Bytes JMP 7151000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ADVAPI32.dll!CreateServiceA 764F3264 6 Bytes JMP 7154000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ADVAPI32.dll!InitiateSystemShutdownW 7650DC55 6 Bytes JMP 7163000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ADVAPI32.dll!InitiateSystemShutdownExW 7650DD22 6 Bytes JMP 715D000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ADVAPI32.dll!InitiateSystemShutdownA 7650DDF7 6 Bytes JMP 7166000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ADVAPI32.dll!InitiateSystemShutdownExA 7650DE9E 6 Bytes JMP 7160000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] GDI32.dll!DeleteDC 77146EAA 6 Bytes JMP 7142000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 713F000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] GDI32.dll!CreateDCA 7714CCA9 6 Bytes JMP 7148000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] GDI32.dll!CreateDCW 7714CF79 6 Bytes JMP 7145000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] USER32.dll!RegisterHotKey 7662AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] USER32.dll!RegisterHotKey + 4 7662AA1D 2 Bytes [4A, 71] .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] USER32.dll!ExitWindowsEx 766706C7 6 Bytes JMP 7169000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] USER32.dll!DdeClientTransaction 7668323C 6 Bytes JMP 714E000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] shell32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7172000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] shell32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 717B000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] shell32.dll!SHFileOperationW 75809700 6 Bytes JMP 717E000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] shell32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7178000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] shell32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7175000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] WS2_32.dll!ioctlsocket 76BD3084 6 Bytes JMP 711E000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] WS2_32.dll!sendto 76BD34B5 6 Bytes JMP 7124000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] WS2_32.dll!closesocket 76BD3918 6 Bytes JMP 7130000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] WS2_32.dll!socket 76BD3EB8 6 Bytes JMP 716F000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] WS2_32.dll!WSASend 76BD4406 6 Bytes JMP 710F000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] WS2_32.dll!select 76BD6989 6 Bytes JMP 7121000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] WS2_32.dll!recv 76BD6B0E 6 Bytes JMP 7116000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] WS2_32.dll!connect 76BD6BDD 6 Bytes JMP 712D000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] WS2_32.dll!send 76BD6F01 6 Bytes JMP 7127000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] WS2_32.dll!WSARecv 76BD7089 6 Bytes JMP 7112000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] WS2_32.dll!WSAGetOverlappedResult 76BD7489 6 Bytes JMP 7109000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] WS2_32.dll!WSAAsyncSelect 76BEB014 6 Bytes JMP 711B000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] IPHLPAPI.DLL!IcmpSendEcho2Ex 7250843C 6 Bytes JMP 7157000A .text C:\Program Files\Audio\iTunes\iTunesHelper.exe[2656] IPHLPAPI.DLL!IcmpSendEcho2 7250873B 6 Bytes JMP 715A000A .text C:\Windows\system32\Dwm.exe[2836] ntdll.dll!NtAcceptConnectPort 771D51E8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[2836] ntdll.dll!NtAcceptConnectPort + 4 771D51EC 2 Bytes [32, 71] .text C:\Windows\system32\Dwm.exe[2836] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[2836] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8E, 71] .text C:\Windows\system32\Dwm.exe[2836] ntdll.dll!NtCreateSymbolicLinkObject 771D5748 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[2836] ntdll.dll!NtCreateSymbolicLinkObject + 4 771D574C 2 Bytes [35, 71] .text C:\Windows\system32\Dwm.exe[2836] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[2836] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8A, 71] .text C:\Windows\system32\Dwm.exe[2836] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[2836] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [86, 71] .text C:\Windows\system32\Dwm.exe[2836] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[2836] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [83, 71] .text C:\Windows\system32\Dwm.exe[2836] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[2836] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [80, 71] .text C:\Windows\system32\Dwm.exe[2836] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Windows\system32\Dwm.exe[2836] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A4000A .text C:\Windows\system32\Dwm.exe[2836] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A1000A .text C:\Windows\system32\Dwm.exe[2836] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7198000A .text C:\Windows\system32\Dwm.exe[2836] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7195000A .text C:\Windows\system32\Dwm.exe[2836] kernel32.dll!LoadLibraryA 76C5DD15 6 Bytes JMP 713C000A .text C:\Windows\system32\Dwm.exe[2836] kernel32.dll!LoadLibraryW 76C5EFF2 6 Bytes JMP 7139000A .text C:\Windows\system32\Dwm.exe[2836] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7192000A .text C:\Windows\system32\Dwm.exe[2836] GDI32.dll!DeleteDC 77146EAA 6 Bytes JMP 7142000A .text C:\Windows\system32\Dwm.exe[2836] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 713F000A .text C:\Windows\system32\Dwm.exe[2836] GDI32.dll!CreateDCA 7714CCA9 6 Bytes JMP 7148000A .text C:\Windows\system32\Dwm.exe[2836] GDI32.dll!CreateDCW 7714CF79 6 Bytes JMP 7145000A .text C:\Windows\system32\Dwm.exe[2836] USER32.dll!RegisterHotKey 7662AA19 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[2836] USER32.dll!RegisterHotKey + 4 7662AA1D 2 Bytes [4A, 71] .text C:\Windows\system32\Dwm.exe[2836] USER32.dll!ExitWindowsEx 766706C7 6 Bytes JMP 7169000A .text C:\Windows\system32\Dwm.exe[2836] USER32.dll!DdeClientTransaction 7668323C 6 Bytes JMP 714E000A .text C:\Windows\system32\Dwm.exe[2836] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text C:\Windows\system32\Dwm.exe[2836] ADVAPI32.dll!CreateServiceW 764D70C4 6 Bytes JMP 7151000A .text C:\Windows\system32\Dwm.exe[2836] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text C:\Windows\system32\Dwm.exe[2836] ADVAPI32.dll!CreateServiceA 764F3264 6 Bytes JMP 7154000A .text C:\Windows\system32\Dwm.exe[2836] ADVAPI32.dll!InitiateSystemShutdownW 7650DC55 6 Bytes JMP 7163000A .text C:\Windows\system32\Dwm.exe[2836] ADVAPI32.dll!InitiateSystemShutdownExW 7650DD22 6 Bytes JMP 715D000A .text C:\Windows\system32\Dwm.exe[2836] ADVAPI32.dll!InitiateSystemShutdownA 7650DDF7 6 Bytes JMP 7166000A .text C:\Windows\system32\Dwm.exe[2836] ADVAPI32.dll!InitiateSystemShutdownExA 7650DE9E 6 Bytes JMP 7160000A .text C:\Windows\system32\Dwm.exe[2836] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\Windows\system32\Dwm.exe[2836] shell32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7172000A .text C:\Windows\system32\Dwm.exe[2836] shell32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 717B000A .text C:\Windows\system32\Dwm.exe[2836] shell32.dll!SHFileOperationW 75809700 6 Bytes JMP 717E000A .text C:\Windows\system32\Dwm.exe[2836] shell32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7178000A .text C:\Windows\system32\Dwm.exe[2836] shell32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7175000A .text C:\Windows\system32\Dwm.exe[2836] WS2_32.dll!socket 76BD3EB8 6 Bytes JMP 716F000A .text C:\Windows\system32\Dwm.exe[2836] IPHLPAPI.DLL!IcmpSendEcho2Ex 7250843C 6 Bytes JMP 7157000A .text C:\Windows\system32\Dwm.exe[2836] IPHLPAPI.DLL!IcmpSendEcho2 7250873B 6 Bytes JMP 715A000A .text C:\Windows\Explorer.EXE[2884] ntdll.dll!NtAcceptConnectPort 771D51E8 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2884] ntdll.dll!NtAcceptConnectPort + 4 771D51EC 2 Bytes [22, 71] .text C:\Windows\Explorer.EXE[2884] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2884] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [6F, 71] .text C:\Windows\Explorer.EXE[2884] ntdll.dll!NtCreateSymbolicLinkObject 771D5748 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2884] ntdll.dll!NtCreateSymbolicLinkObject + 4 771D574C 2 Bytes [25, 71] .text C:\Windows\Explorer.EXE[2884] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2884] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [6B, 71] .text C:\Windows\Explorer.EXE[2884] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2884] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [67, 71] .text C:\Windows\Explorer.EXE[2884] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2884] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [64, 71] .text C:\Windows\Explorer.EXE[2884] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2884] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [61, 71] .text C:\Windows\Explorer.EXE[2884] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Windows\Explorer.EXE[2884] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 05C35840 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2884] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A1000A .text C:\Windows\Explorer.EXE[2884] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7195000A .text C:\Windows\Explorer.EXE[2884] kernel32.dll!DeleteFileW 76C517FF 6 Bytes JMP 7185000A .text C:\Windows\Explorer.EXE[2884] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7192000A .text C:\Windows\Explorer.EXE[2884] kernel32.dll!LoadLibraryA 76C5DD15 6 Bytes JMP 712C000A .text C:\Windows\Explorer.EXE[2884] kernel32.dll!LoadLibraryW 76C5EFF2 6 Bytes JMP 7129000A .text C:\Windows\Explorer.EXE[2884] kernel32.dll!CreateProcessInternalW 76C60852 5 Bytes JMP 05C340E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2884] kernel32.dll!CreateProcessInternalA 76C6C954 5 Bytes JMP 05C344E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2884] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 718F000A .text C:\Windows\Explorer.EXE[2884] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text C:\Windows\Explorer.EXE[2884] ADVAPI32.dll!RegSetValueExA 764C1433 5 Bytes JMP 05C36FA0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2884] ADVAPI32.dll!RegQueryValueExW 764C462D 5 Bytes JMP 05C353F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2884] ADVAPI32.dll!RegQueryValueExA 764C486F 5 Bytes JMP 05C35030 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2884] ADVAPI32.dll!CreateServiceW 764D70C4 6 Bytes JMP 7141000A .text C:\Windows\Explorer.EXE[2884] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text C:\Windows\Explorer.EXE[2884] ADVAPI32.dll!CreateServiceA 764F3264 6 Bytes JMP 7144000A .text C:\Windows\Explorer.EXE[2884] ADVAPI32.dll!InitiateSystemShutdownW 7650DC55 6 Bytes JMP 7153000A .text C:\Windows\Explorer.EXE[2884] ADVAPI32.dll!InitiateSystemShutdownExW 7650DD22 6 Bytes JMP 714D000A .text C:\Windows\Explorer.EXE[2884] ADVAPI32.dll!InitiateSystemShutdownA 7650DDF7 6 Bytes JMP 7156000A .text C:\Windows\Explorer.EXE[2884] ADVAPI32.dll!InitiateSystemShutdownExA 7650DE9E 6 Bytes JMP 7150000A .text C:\Windows\Explorer.EXE[2884] GDI32.dll!DeleteDC 77146EAA 6 Bytes JMP 7132000A .text C:\Windows\Explorer.EXE[2884] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 712F000A .text C:\Windows\Explorer.EXE[2884] GDI32.dll!CreateDCA 7714CCA9 6 Bytes JMP 7138000A .text C:\Windows\Explorer.EXE[2884] GDI32.dll!CreateDCW 7714CF79 6 Bytes JMP 7135000A .text C:\Windows\Explorer.EXE[2884] USER32.dll!RegisterHotKey 7662AA19 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2884] USER32.dll!RegisterHotKey + 4 7662AA1D 2 Bytes [3A, 71] .text C:\Windows\Explorer.EXE[2884] USER32.dll!SendMessageTimeoutW 7662E459 6 Bytes JMP 7176000A .text C:\Windows\Explorer.EXE[2884] USER32.dll!SendMessageTimeoutA 76656DA9 6 Bytes JMP 7173000A .text C:\Windows\Explorer.EXE[2884] USER32.dll!ExitWindowsEx 766706C7 6 Bytes JMP 7159000A .text C:\Windows\Explorer.EXE[2884] USER32.dll!DdeClientTransaction 7668323C 6 Bytes JMP 713E000A .text C:\Windows\Explorer.EXE[2884] SHLWAPI.dll!SHRegGetUSValueW 76B8252D 5 Bytes JMP 05C34E90 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2884] SHELL32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7179000A .text C:\Windows\Explorer.EXE[2884] SHELL32.dll!PathResolve + 106C 757C53CB 5 Bytes JMP 05C30790 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2884] SHELL32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 05C33F80 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2884] SHELL32.dll!SHGetItemFromDataObject + 378 757FEBD4 4 Bytes [04, 00, EF, 02] .text C:\Windows\Explorer.EXE[2884] SHELL32.dll!SHFileOperationW 75809700 6 Bytes JMP 7198000A .text C:\Windows\Explorer.EXE[2884] SHELL32.dll!SHEnumerateUnreadMailAccountsW + FF2 759D534D 5 Bytes JMP 05C62E10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2884] SHELL32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 717F000A .text C:\Windows\Explorer.EXE[2884] SHELL32.dll!ShellExecuteA 759F7715 6 Bytes JMP 717C000A .text C:\Windows\Explorer.EXE[2884] ole32.dll!RegisterDragDrop 7566E924 6 Bytes JMP 718C000A .text C:\Windows\Explorer.EXE[2884] ole32.dll!RevokeDragDrop 7566EA05 6 Bytes JMP 7189000A .text C:\Windows\Explorer.EXE[2884] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\Windows\Explorer.EXE[2884] WS2_32.dll!socket 76BD3EB8 6 Bytes JMP 715F000A .text C:\Windows\Explorer.EXE[2884] IPHLPAPI.DLL!IcmpSendEcho2Ex 7250843C 6 Bytes JMP 7147000A .text C:\Windows\Explorer.EXE[2884] IPHLPAPI.DLL!IcmpSendEcho2 7250873B 6 Bytes JMP 714A000A .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [89, 71] .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [85, 71] .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [81, 71] .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [7E, 71] {JLE 0x73} .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [7B, 71] {JNP 0x73} .text C:\Windows\system32\svchost.exe[3016] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AF000A .text C:\Windows\system32\svchost.exe[3016] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[3016] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[3016] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[3016] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[3016] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[3016] RPCRT4.dll!RpcServerRegisterIfEx 76420898 6 Bytes JMP 71A5000A .text C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[3016] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[3016] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A2000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ntdll.dll!NtAcceptConnectPort 771D51E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ntdll.dll!NtAcceptConnectPort + 4 771D51EC 2 Bytes [32, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8E, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ntdll.dll!NtCreateProcess 771D56D8 5 Bytes JMP 02C12DB0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ntdll.dll!NtCreateProcessEx 771D56E8 5 Bytes JMP 02C12D20 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ntdll.dll!NtCreateSymbolicLinkObject 771D5748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ntdll.dll!NtCreateSymbolicLinkObject + 4 771D574C 2 Bytes [35, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8A, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [86, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [83, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [80, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 02C15780 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 02C156E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] kernel32.dll!CopyFileW 76C46C07 5 Bytes JMP 02C13630 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 02C13400 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] kernel32.dll!LoadLibraryExA 76C54576 5 Bytes JMP 02C13900 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] kernel32.dll!LoadLibraryExW 76C55189 5 Bytes JMP 02C13A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] kernel32.dll!MoveFileWithProgressW 76C58E9C 5 Bytes JMP 02C42CD0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7195000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] kernel32.dll!LoadLibraryA 76C5DD15 6 Bytes JMP 02C136F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] kernel32.dll!LoadLibraryW 76C5EFF2 6 Bytes JMP 02C13880 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] kernel32.dll!CreateProcessInternalW 76C60852 5 Bytes JMP 02C140E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] kernel32.dll!CreateProcessInternalA 76C6C954 5 Bytes JMP 02C144E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] kernel32.dll!CopyFileA 76C76E12 5 Bytes JMP 02C134C0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7192000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] kernel32.dll!CopyFileExA 76C9D231 5 Bytes JMP 02C13280 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] kernel32.dll!WinExec + 5 76C9F233 6 Bytes JMP 02C13EC0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] advapi32.DLL!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] advapi32.DLL!RegSetValueExA 764C1433 5 Bytes JMP 02C16FA0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] advapi32.DLL!RegQueryValueExW 764C462D 5 Bytes JMP 02C153F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] advapi32.DLL!RegQueryValueExA 764C486F 5 Bytes JMP 02C15030 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] advapi32.DLL!CreateServiceW 764D70C4 6 Bytes JMP 7151000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] advapi32.DLL!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] advapi32.DLL!CreateServiceA 764F3264 6 Bytes JMP 7154000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] advapi32.DLL!InitiateSystemShutdownW 7650DC55 6 Bytes JMP 7163000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] advapi32.DLL!InitiateSystemShutdownExW 7650DD22 6 Bytes JMP 715D000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] advapi32.DLL!InitiateSystemShutdownA 7650DDF7 6 Bytes JMP 7166000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] advapi32.DLL!InitiateSystemShutdownExA 7650DE9E 6 Bytes JMP 7160000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] user32.DLL!RegisterHotKey 7662AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3032] user32.DLL!RegisterHotKey + 4 7662AA1D 2 Bytes [4A, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3032] user32.DLL!ExitWindowsEx 766706C7 6 Bytes JMP 7169000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] user32.DLL!DdeClientTransaction 7668323C 6 Bytes JMP 714E000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] GDI32.dll!DeleteDC 77146EAA 6 Bytes JMP 7142000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 713F000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] GDI32.dll!CreateDCA 7714CCA9 6 Bytes JMP 7148000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] GDI32.dll!CreateDCW 7714CF79 6 Bytes JMP 7145000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] shlwapi.DLL!SHRegGetUSValueW 76B8252D 5 Bytes JMP 02C14E90 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ole32.dll!CoGetClassObject 756854AD 5 Bytes JMP 02C42E40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] shell32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7172000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] shell32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 717B000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] shell32.dll!SHFileOperationW 75809700 6 Bytes JMP 02C42DF0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] shell32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 02C146D0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] shell32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7175000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] WS2_32.dll!ioctlsocket 76BD3084 6 Bytes JMP 711E000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] WS2_32.dll!sendto 76BD34B5 6 Bytes JMP 7124000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] WS2_32.dll!closesocket 76BD3918 6 Bytes JMP 02C42B00 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] WS2_32.dll!socket 76BD3EB8 6 Bytes JMP 716F000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] WS2_32.dll!WSASend 76BD4406 5 Bytes JMP 02C11650 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] WS2_32.dll!select 76BD6989 6 Bytes JMP 7121000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] WS2_32.dll!recv 76BD6B0E 6 Bytes JMP 02C42AD0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] WS2_32.dll!connect 76BD6BDD 6 Bytes JMP 712D000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] WS2_32.dll!send 76BD6F01 6 Bytes JMP 02C11470 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] WS2_32.dll!WSARecv 76BD7089 6 Bytes JMP 02C42A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] WS2_32.dll!WSAGetOverlappedResult 76BD7489 6 Bytes JMP 02C42A40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] WS2_32.dll!WSAAsyncSelect 76BEB014 6 Bytes JMP 711B000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] IPHLPAPI.DLL!IcmpSendEcho2Ex 7250843C 6 Bytes JMP 7157000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] IPHLPAPI.DLL!IcmpSendEcho2 7250873B 6 Bytes JMP 715A000A .text C:\Program Files\Internet Explorer\iexplore.exe[3032] WININET.dll!HttpOpenRequestW 76D19A50 5 Bytes JMP 02C12F70 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] WININET.dll!InternetConnectW 76D1C8E0 5 Bytes JMP 02C13010 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] WININET.dll!HttpOpenRequestA 76D9A450 5 Bytes JMP 02C12E40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] WININET.dll!InternetOpenUrlA 76DE9610 5 Bytes JMP 02C130B0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3032] WININET.dll!InternetOpenUrlW 76DEA0D0 5 Bytes JMP 02C131E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ntdll.dll!NtAcceptConnectPort 771D51E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ntdll.dll!NtAcceptConnectPort + 4 771D51EC 2 Bytes [29, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [7F, 71] {JG 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ntdll.dll!NtCreateSymbolicLinkObject 771D5748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ntdll.dll!NtCreateSymbolicLinkObject + 4 771D574C 2 Bytes [2C, 71] {SUB AL, 0x71} .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [7B, 71] {JNP 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A4000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A1000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7195000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7192000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] kernel32.dll!LoadLibraryA 76C5DD15 6 Bytes JMP 7133000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] kernel32.dll!LoadLibraryW 76C5EFF2 6 Bytes JMP 7130000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 718F000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ADVAPI32.dll!CreateServiceW 764D70C4 6 Bytes JMP 7151000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ADVAPI32.dll!CreateServiceA 764F3264 6 Bytes JMP 7154000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ADVAPI32.dll!InitiateSystemShutdownW 7650DC55 6 Bytes JMP 7163000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ADVAPI32.dll!InitiateSystemShutdownExW 7650DD22 6 Bytes JMP 715D000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ADVAPI32.dll!InitiateSystemShutdownA 7650DDF7 6 Bytes JMP 7166000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ADVAPI32.dll!InitiateSystemShutdownExA 7650DE9E 6 Bytes JMP 7160000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] GDI32.dll!DeleteDC 77146EAA 6 Bytes JMP 7142000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 713F000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] GDI32.dll!CreateDCA 7714CCA9 6 Bytes JMP 7148000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] GDI32.dll!CreateDCW 7714CF79 6 Bytes JMP 7145000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] USER32.dll!RegisterHotKey 7662AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] USER32.dll!RegisterHotKey + 4 7662AA1D 2 Bytes [4A, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] USER32.dll!ExitWindowsEx 766706C7 6 Bytes JMP 7169000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] USER32.dll!DdeClientTransaction 7668323C 6 Bytes JMP 714E000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] SHELL32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7183000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] SHELL32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 718C000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] SHELL32.dll!SHFileOperationW 75809700 6 Bytes JMP 7198000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] SHELL32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7189000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] SHELL32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7186000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] WS2_32.dll!socket 76BD3EB8 6 Bytes JMP 716F000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] IPHLPAPI.DLL!IcmpSendEcho2Ex 7250843C 6 Bytes JMP 7157000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3308] IPHLPAPI.DLL!IcmpSendEcho2 7250873B 6 Bytes JMP 715A000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ntdll.dll!NtAcceptConnectPort 771D51E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ntdll.dll!NtAcceptConnectPort + 4 771D51EC 2 Bytes [1C, 71] {SBB AL, 0x71} .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [75, 71] {JNZ 0x73} .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ntdll.dll!NtCreateSymbolicLinkObject 771D5748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ntdll.dll!NtCreateSymbolicLinkObject + 4 771D574C 2 Bytes [1F, 71] .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [6D, 71] .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [67, 71] .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 719A000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 7197000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 718B000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7188000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] kernel32.dll!LoadLibraryA 76C5DD15 6 Bytes JMP 7126000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] kernel32.dll!LoadLibraryW 76C5EFF2 6 Bytes JMP 7123000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7185000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] SHELL32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7179000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] SHELL32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 7182000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] SHELL32.dll!SHFileOperationW 75809700 6 Bytes JMP 718E000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] SHELL32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 717F000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] SHELL32.dll!ShellExecuteA 759F7715 6 Bytes JMP 717C000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] GDI32.dll!DeleteDC 77146EAA 6 Bytes JMP 7138000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 7135000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] GDI32.dll!CreateDCA 7714CCA9 6 Bytes JMP 713E000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] GDI32.dll!CreateDCW 7714CF79 6 Bytes JMP 713B000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] USER32.dll!RegisterHotKey 7662AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] USER32.dll!RegisterHotKey + 4 7662AA1D 2 Bytes [40, 71] .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] USER32.dll!ExitWindowsEx 766706C7 6 Bytes JMP 715F000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] USER32.dll!DdeClientTransaction 7668323C 6 Bytes JMP 7144000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 7194000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ADVAPI32.dll!CreateServiceW 764D70C4 6 Bytes JMP 7147000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 7191000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ADVAPI32.dll!CreateServiceA 764F3264 6 Bytes JMP 714A000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ADVAPI32.dll!InitiateSystemShutdownW 7650DC55 6 Bytes JMP 7159000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ADVAPI32.dll!InitiateSystemShutdownExW 7650DD22 6 Bytes JMP 7153000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ADVAPI32.dll!InitiateSystemShutdownA 7650DDF7 6 Bytes JMP 715C000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] ADVAPI32.dll!InitiateSystemShutdownExA 7650DE9E 6 Bytes JMP 7156000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] WS2_32.dll!ioctlsocket 76BD3084 6 Bytes JMP 7108000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] WS2_32.dll!sendto 76BD34B5 6 Bytes JMP 710E000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] WS2_32.dll!closesocket 76BD3918 6 Bytes JMP 711A000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] WS2_32.dll!socket 76BD3EB8 6 Bytes JMP 7165000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] WS2_32.dll!WSASend 76BD4406 6 Bytes JMP 70F9000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] WS2_32.dll!select 76BD6989 6 Bytes JMP 710B000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] WS2_32.dll!recv 76BD6B0E 6 Bytes JMP 7100000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] WS2_32.dll!connect 76BD6BDD 6 Bytes JMP 7117000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] WS2_32.dll!send 76BD6F01 6 Bytes JMP 7111000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] WS2_32.dll!WSARecv 76BD7089 6 Bytes JMP 70FC000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] WS2_32.dll!WSAGetOverlappedResult 76BD7489 6 Bytes JMP 70F3000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] WS2_32.dll!WSAAsyncSelect 76BEB014 6 Bytes JMP 7105000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] IPHLPAPI.DLL!IcmpSendEcho2Ex 7250843C 6 Bytes JMP 714D000A .text C:\Program Files\Admin\Launchy\Launchy.exe[3392] IPHLPAPI.DLL!IcmpSendEcho2 7250873B 6 Bytes JMP 7150000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ntdll.dll!NtAcceptConnectPort 771D51E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ntdll.dll!NtAcceptConnectPort + 4 771D51EC 2 Bytes [32, 71] .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [7F, 71] {JG 0x73} .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ntdll.dll!NtCreateSymbolicLinkObject 771D5748 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ntdll.dll!NtCreateSymbolicLinkObject + 4 771D574C 2 Bytes [35, 71] .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [7B, 71] {JNP 0x73} .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A4000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A1000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7195000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7192000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] kernel32.dll!LoadLibraryA 76C5DD15 6 Bytes JMP 713C000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] kernel32.dll!LoadLibraryW 76C5EFF2 6 Bytes JMP 7139000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 718F000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] USER32.dll!RegisterHotKey 7662AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] USER32.dll!RegisterHotKey + 4 7662AA1D 2 Bytes [4A, 71] .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] USER32.dll!ExitWindowsEx 766706C7 6 Bytes JMP 7169000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] USER32.dll!DdeClientTransaction 7668323C 6 Bytes JMP 714E000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] GDI32.dll!DeleteDC 77146EAA 6 Bytes JMP 7142000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 713F000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] GDI32.dll!CreateDCA 7714CCA9 6 Bytes JMP 7148000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] GDI32.dll!CreateDCW 7714CF79 6 Bytes JMP 7145000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ADVAPI32.dll!CreateServiceW 764D70C4 6 Bytes JMP 7151000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ADVAPI32.dll!CreateServiceA 764F3264 6 Bytes JMP 7154000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ADVAPI32.dll!InitiateSystemShutdownW 7650DC55 6 Bytes JMP 7163000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ADVAPI32.dll!InitiateSystemShutdownExW 7650DD22 6 Bytes JMP 715D000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ADVAPI32.dll!InitiateSystemShutdownA 7650DDF7 6 Bytes JMP 7166000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] ADVAPI32.dll!InitiateSystemShutdownExA 7650DE9E 6 Bytes JMP 7160000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] SHELL32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7183000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] SHELL32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 718C000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] SHELL32.dll!SHFileOperationW 75809700 6 Bytes JMP 7198000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] SHELL32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7189000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] SHELL32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7186000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] WS2_32.dll!socket 76BD3EB8 6 Bytes JMP 716F000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] IPHLPAPI.DLL!IcmpSendEcho2Ex 7250843C 6 Bytes JMP 7157000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[3448] IPHLPAPI.DLL!IcmpSendEcho2 7250873B 6 Bytes JMP 715A000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ntdll.dll!NtAcceptConnectPort 771D51E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ntdll.dll!NtAcceptConnectPort + 4 771D51EC 2 Bytes [32, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8E, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ntdll.dll!NtCreateProcess 771D56D8 5 Bytes JMP 02A02DB0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ntdll.dll!NtCreateProcessEx 771D56E8 5 Bytes JMP 02A02D20 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ntdll.dll!NtCreateSymbolicLinkObject 771D5748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ntdll.dll!NtCreateSymbolicLinkObject + 4 771D574C 2 Bytes [35, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8A, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [86, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [83, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [80, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 02A05780 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 02A056E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] kernel32.dll!CopyFileW 76C46C07 5 Bytes JMP 02A03630 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 02A03400 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] kernel32.dll!LoadLibraryExA 76C54576 5 Bytes JMP 02A03900 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] kernel32.dll!LoadLibraryExW 76C55189 5 Bytes JMP 02A03A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] kernel32.dll!MoveFileWithProgressW 76C58E9C 5 Bytes JMP 02A32CD0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7195000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] kernel32.dll!LoadLibraryA 76C5DD15 6 Bytes JMP 02A036F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] kernel32.dll!LoadLibraryW 76C5EFF2 6 Bytes JMP 02A03880 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] kernel32.dll!CreateProcessInternalW 76C60852 5 Bytes JMP 02A040E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] kernel32.dll!CreateProcessInternalA 76C6C954 5 Bytes JMP 02A044E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] kernel32.dll!CopyFileA 76C76E12 5 Bytes JMP 02A034C0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7192000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] kernel32.dll!CopyFileExA 76C9D231 5 Bytes JMP 02A03280 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] kernel32.dll!WinExec + 5 76C9F233 6 Bytes JMP 02A03EC0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] advapi32.DLL!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] advapi32.DLL!RegSetValueExA 764C1433 5 Bytes JMP 02A06FA0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] advapi32.DLL!RegQueryValueExW 764C462D 5 Bytes JMP 02A053F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] advapi32.DLL!RegQueryValueExA 764C486F 5 Bytes JMP 02A05030 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] advapi32.DLL!CreateServiceW 764D70C4 6 Bytes JMP 7151000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] advapi32.DLL!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] advapi32.DLL!CreateServiceA 764F3264 6 Bytes JMP 7154000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] advapi32.DLL!InitiateSystemShutdownW 7650DC55 6 Bytes JMP 7163000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] advapi32.DLL!InitiateSystemShutdownExW 7650DD22 6 Bytes JMP 715D000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] advapi32.DLL!InitiateSystemShutdownA 7650DDF7 6 Bytes JMP 7166000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] advapi32.DLL!InitiateSystemShutdownExA 7650DE9E 6 Bytes JMP 7160000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] user32.DLL!RegisterHotKey 7662AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3572] user32.DLL!RegisterHotKey + 4 7662AA1D 2 Bytes [4A, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3572] user32.DLL!ExitWindowsEx 766706C7 6 Bytes JMP 7169000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] user32.DLL!DdeClientTransaction 7668323C 6 Bytes JMP 714E000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] GDI32.dll!DeleteDC 77146EAA 6 Bytes JMP 7142000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 713F000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] GDI32.dll!CreateDCA 7714CCA9 6 Bytes JMP 7148000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] GDI32.dll!CreateDCW 7714CF79 6 Bytes JMP 7145000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] shlwapi.DLL!SHRegGetUSValueW 76B8252D 5 Bytes JMP 02A04E90 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ole32.dll!CoGetClassObject 756854AD 5 Bytes JMP 02A32E40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] shell32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7172000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] shell32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 717B000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] shell32.dll!SHFileOperationW 75809700 6 Bytes JMP 02A32DF0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] shell32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 02A046D0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] shell32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7175000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] WS2_32.dll!ioctlsocket 76BD3084 6 Bytes JMP 7121000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] WS2_32.dll!sendto 76BD34B5 6 Bytes JMP 7127000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] WS2_32.dll!closesocket 76BD3918 6 Bytes JMP 02A32B00 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] WS2_32.dll!socket 76BD3EB8 6 Bytes JMP 716F000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] WS2_32.dll!WSASend 76BD4406 5 Bytes JMP 02A01650 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] WS2_32.dll!select 76BD6989 6 Bytes JMP 7124000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] WS2_32.dll!recv 76BD6B0E 6 Bytes JMP 02A32AD0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] WS2_32.dll!connect 76BD6BDD 6 Bytes JMP 712D000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] WS2_32.dll!send 76BD6F01 5 Bytes JMP 02A01470 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] WS2_32.dll!WSARecv 76BD7089 6 Bytes JMP 02A32A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] WS2_32.dll!WSAGetOverlappedResult 76BD7489 6 Bytes JMP 02A32A40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] WS2_32.dll!WSAAsyncSelect 76BEB014 6 Bytes JMP 711E000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] IPHLPAPI.DLL!IcmpSendEcho2Ex 7250843C 6 Bytes JMP 7157000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] IPHLPAPI.DLL!IcmpSendEcho2 7250873B 6 Bytes JMP 715A000A .text C:\Program Files\Internet Explorer\iexplore.exe[3572] WININET.dll!HttpOpenRequestW 76D19A50 5 Bytes JMP 02A02F70 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] WININET.dll!InternetConnectW 76D1C8E0 5 Bytes JMP 02A03010 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] WININET.dll!HttpOpenRequestA 76D9A450 5 Bytes JMP 02A02E40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] WININET.dll!InternetOpenUrlA 76DE9610 5 Bytes JMP 02A030B0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3572] WININET.dll!InternetOpenUrlW 76DEA0D0 5 Bytes JMP 02A031E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\iPod\bin\iPodService.exe[3784] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Program Files\iPod\bin\iPodService.exe[3784] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8F, 71] .text C:\Program Files\iPod\bin\iPodService.exe[3784] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\iPod\bin\iPodService.exe[3784] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8B, 71] .text C:\Program Files\iPod\bin\iPodService.exe[3784] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Program Files\iPod\bin\iPodService.exe[3784] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [87, 71] .text C:\Program Files\iPod\bin\iPodService.exe[3784] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Program Files\iPod\bin\iPodService.exe[3784] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [84, 71] .text C:\Program Files\iPod\bin\iPodService.exe[3784] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Program Files\iPod\bin\iPodService.exe[3784] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [81, 71] .text C:\Program Files\iPod\bin\iPodService.exe[3784] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AF000A .text C:\Program Files\iPod\bin\iPodService.exe[3784] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A5000A .text C:\Program Files\iPod\bin\iPodService.exe[3784] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A2000A .text C:\Program Files\iPod\bin\iPodService.exe[3784] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7199000A .text C:\Program Files\iPod\bin\iPodService.exe[3784] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7196000A .text C:\Program Files\iPod\bin\iPodService.exe[3784] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7193000A .text C:\Program Files\iPod\bin\iPodService.exe[3784] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719F000A .text C:\Program Files\iPod\bin\iPodService.exe[3784] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719C000A .text C:\Program Files\iPod\bin\iPodService.exe[3784] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A8000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ntdll.dll!NtAcceptConnectPort 771D51E8 3 Bytes [FF, 25, 1E] .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ntdll.dll!NtAcceptConnectPort + 4 771D51EC 2 Bytes [7D, 70] {JGE 0x72} .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [7F, 71] {JG 0x73} .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ntdll.dll!NtCreateSymbolicLinkObject 771D5748 3 Bytes [FF, 25, 1E] .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ntdll.dll!NtCreateSymbolicLinkObject + 4 771D574C 2 Bytes [80, 70] .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [7B, 71] {JNP 0x73} .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [CB, 70] .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [C8, 70] .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [C5, 70] .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A4000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A1000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7195000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7192000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] kernel32.dll!LoadLibraryA 76C5DD15 6 Bytes JMP 7087000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] kernel32.dll!LoadLibraryW 76C5EFF2 6 Bytes JMP 7084000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 718F000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] WS2_32.dll!ioctlsocket 76BD3084 6 Bytes JMP 7069000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] WS2_32.dll!sendto 76BD34B5 6 Bytes JMP 706F000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] WS2_32.dll!closesocket 76BD3918 6 Bytes JMP 707B000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] WS2_32.dll!socket 76BD3EB8 6 Bytes JMP 70C3000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] WS2_32.dll!WSASend 76BD4406 6 Bytes JMP 705A000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] WS2_32.dll!select 76BD6989 6 Bytes JMP 706C000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] WS2_32.dll!recv 76BD6B0E 6 Bytes JMP 7061000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] WS2_32.dll!connect 76BD6BDD 6 Bytes JMP 7078000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] WS2_32.dll!send 76BD6F01 6 Bytes JMP 7072000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] WS2_32.dll!WSARecv 76BD7089 6 Bytes JMP 705D000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] WS2_32.dll!WSAGetOverlappedResult 76BD7489 6 Bytes JMP 7054000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] WS2_32.dll!WSAAsyncSelect 76BEB014 6 Bytes JMP 7066000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] USER32.dll!RegisterHotKey 7662AA19 3 Bytes [FF, 25, 1E] .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] USER32.dll!RegisterHotKey + 4 7662AA1D 2 Bytes [9E, 70] .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] USER32.dll!ExitWindowsEx 766706C7 6 Bytes JMP 70BD000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] USER32.dll!DdeClientTransaction 7668323C 6 Bytes JMP 70A2000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] GDI32.dll!DeleteDC 77146EAA 6 Bytes JMP 7096000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 7093000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] GDI32.dll!CreateDCA 7714CCA9 6 Bytes JMP 709C000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] GDI32.dll!CreateDCW 7714CF79 6 Bytes JMP 7099000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] SHELL32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7183000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] SHELL32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 718C000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] SHELL32.dll!SHFileOperationW 75809700 6 Bytes JMP 7198000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] SHELL32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7189000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] SHELL32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7186000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ADVAPI32.dll!CreateServiceW 764D70C4 6 Bytes JMP 70A5000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ADVAPI32.dll!CreateServiceA 764F3264 6 Bytes JMP 70A8000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ADVAPI32.dll!InitiateSystemShutdownW 7650DC55 6 Bytes JMP 70B7000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ADVAPI32.dll!InitiateSystemShutdownExW 7650DD22 6 Bytes JMP 70B1000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ADVAPI32.dll!InitiateSystemShutdownA 7650DDF7 6 Bytes JMP 70BA000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] ADVAPI32.dll!InitiateSystemShutdownExA 7650DE9E 6 Bytes JMP 70B4000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] IPHLPAPI.DLL!IcmpSendEcho2Ex 7250843C 6 Bytes JMP 70AB000A .text C:\Users\rambo\AppData\Local\MEGAsync\MEGAsync.exe[3960] IPHLPAPI.DLL!IcmpSendEcho2 7250873B 6 Bytes JMP 70AE000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ntdll.dll!NtAcceptConnectPort 771D51E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ntdll.dll!NtAcceptConnectPort + 4 771D51EC 2 Bytes [32, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8E, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ntdll.dll!NtCreateProcess 771D56D8 5 Bytes JMP 027A2DB0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ntdll.dll!NtCreateProcessEx 771D56E8 5 Bytes JMP 027A2D20 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ntdll.dll!NtCreateSymbolicLinkObject 771D5748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ntdll.dll!NtCreateSymbolicLinkObject + 4 771D574C 2 Bytes [35, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8A, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [86, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [83, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [80, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 027A5780 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 027A56E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] kernel32.dll!CopyFileW 76C46C07 5 Bytes JMP 027A3630 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 027A3400 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] kernel32.dll!LoadLibraryExA 76C54576 5 Bytes JMP 027A3900 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] kernel32.dll!LoadLibraryExW 76C55189 5 Bytes JMP 027A3A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] kernel32.dll!MoveFileWithProgressW 76C58E9C 5 Bytes JMP 027D2CD0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7195000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] kernel32.dll!LoadLibraryA 76C5DD15 6 Bytes JMP 027A36F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] kernel32.dll!LoadLibraryW 76C5EFF2 6 Bytes JMP 027A3880 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] kernel32.dll!CreateProcessInternalW 76C60852 5 Bytes JMP 027A40E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] kernel32.dll!CreateProcessInternalA 76C6C954 5 Bytes JMP 027A44E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] kernel32.dll!CopyFileA 76C76E12 5 Bytes JMP 027A34C0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7192000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] kernel32.dll!CopyFileExA 76C9D231 5 Bytes JMP 027A3280 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] kernel32.dll!WinExec + 5 76C9F233 6 Bytes JMP 027A3EC0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] advapi32.DLL!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] advapi32.DLL!RegSetValueExA 764C1433 5 Bytes JMP 027A6FA0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] advapi32.DLL!RegQueryValueExW 764C462D 5 Bytes JMP 027A53F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] advapi32.DLL!RegQueryValueExA 764C486F 5 Bytes JMP 027A5030 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] advapi32.DLL!CreateServiceW 764D70C4 6 Bytes JMP 7151000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] advapi32.DLL!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] advapi32.DLL!CreateServiceA 764F3264 6 Bytes JMP 7154000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] advapi32.DLL!InitiateSystemShutdownW 7650DC55 6 Bytes JMP 7163000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] advapi32.DLL!InitiateSystemShutdownExW 7650DD22 6 Bytes JMP 715D000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] advapi32.DLL!InitiateSystemShutdownA 7650DDF7 6 Bytes JMP 7166000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] advapi32.DLL!InitiateSystemShutdownExA 7650DE9E 6 Bytes JMP 7160000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] user32.DLL!RegisterHotKey 7662AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[4004] user32.DLL!RegisterHotKey + 4 7662AA1D 2 Bytes [4A, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[4004] user32.DLL!ExitWindowsEx 766706C7 6 Bytes JMP 7169000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] user32.DLL!DdeClientTransaction 7668323C 6 Bytes JMP 714E000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] GDI32.dll!DeleteDC 77146EAA 6 Bytes JMP 7142000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 713F000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] GDI32.dll!CreateDCA 7714CCA9 6 Bytes JMP 7148000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] GDI32.dll!CreateDCW 7714CF79 6 Bytes JMP 7145000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] shlwapi.DLL!SHRegGetUSValueW 76B8252D 5 Bytes JMP 027A4E90 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ole32.dll!CoGetClassObject 756854AD 5 Bytes JMP 027D2E40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] shell32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7172000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] shell32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 717B000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] shell32.dll!SHFileOperationW 75809700 6 Bytes JMP 027D2DF0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] shell32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 027A46D0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] shell32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7175000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] WS2_32.dll!ioctlsocket 76BD3084 6 Bytes JMP 7124000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] WS2_32.dll!sendto 76BD34B5 6 Bytes JMP 712A000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] WS2_32.dll!closesocket 76BD3918 5 Bytes JMP 027D2B00 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] WS2_32.dll!socket 76BD3EB8 6 Bytes JMP 716F000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] WS2_32.dll!WSASend 76BD4406 5 Bytes JMP 027A1650 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] WS2_32.dll!select 76BD6989 6 Bytes JMP 7127000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] WS2_32.dll!recv 76BD6B0E 5 Bytes JMP 027D2AD0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] WS2_32.dll!connect 76BD6BDD 6 Bytes JMP 7130000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] WS2_32.dll!send 76BD6F01 5 Bytes JMP 027A1470 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] WS2_32.dll!WSARecv 76BD7089 5 Bytes JMP 027D2A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] WS2_32.dll!WSAGetOverlappedResult 76BD7489 5 Bytes JMP 027D2A40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] WS2_32.dll!WSAAsyncSelect 76BEB014 6 Bytes JMP 7121000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] IPHLPAPI.DLL!IcmpSendEcho2Ex 7250843C 6 Bytes JMP 7157000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] IPHLPAPI.DLL!IcmpSendEcho2 7250873B 6 Bytes JMP 715A000A .text C:\Program Files\Internet Explorer\iexplore.exe[4004] WININET.dll!HttpOpenRequestW 76D19A50 5 Bytes JMP 027A2F70 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] WININET.dll!InternetConnectW 76D1C8E0 5 Bytes JMP 027A3010 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] WININET.dll!HttpOpenRequestA 76D9A450 5 Bytes JMP 027A2E40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] WININET.dll!InternetOpenUrlA 76DE9610 5 Bytes JMP 027A30B0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4004] WININET.dll!InternetOpenUrlW 76DEA0D0 5 Bytes JMP 027A31E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtAcceptConnectPort 771D51E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtAcceptConnectPort + 4 771D51EC 2 Bytes [32, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8E, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtCreateProcess 771D56D8 5 Bytes JMP 03182DB0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtCreateProcessEx 771D56E8 5 Bytes JMP 03182D20 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtCreateSymbolicLinkObject 771D5748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtCreateSymbolicLinkObject + 4 771D574C 2 Bytes [35, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8A, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [86, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [83, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [80, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 03185780 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 031856E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] kernel32.dll!CopyFileW 76C46C07 5 Bytes JMP 03183630 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 03183400 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] kernel32.dll!LoadLibraryExA 76C54576 5 Bytes JMP 03183900 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] kernel32.dll!LoadLibraryExW 76C55189 5 Bytes JMP 03183A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] kernel32.dll!MoveFileWithProgressW 76C58E9C 5 Bytes JMP 031B2CD0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7195000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] kernel32.dll!LoadLibraryA 76C5DD15 6 Bytes JMP 031836F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] kernel32.dll!LoadLibraryW 76C5EFF2 6 Bytes JMP 03183880 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] kernel32.dll!CreateProcessInternalW 76C60852 5 Bytes JMP 031840E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] kernel32.dll!CreateProcessInternalA 76C6C954 5 Bytes JMP 031844E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] kernel32.dll!CopyFileA 76C76E12 5 Bytes JMP 031834C0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7192000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] kernel32.dll!CopyFileExA 76C9D231 5 Bytes JMP 03183280 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] kernel32.dll!WinExec + 5 76C9F233 6 Bytes JMP 03183EC0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] advapi32.DLL!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] advapi32.DLL!RegSetValueExA 764C1433 5 Bytes JMP 03186FA0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] advapi32.DLL!RegQueryValueExW 764C462D 5 Bytes JMP 031853F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] advapi32.DLL!RegQueryValueExA 764C486F 5 Bytes JMP 03185030 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] advapi32.DLL!CreateServiceW 764D70C4 6 Bytes JMP 7151000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] advapi32.DLL!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] advapi32.DLL!CreateServiceA 764F3264 6 Bytes JMP 7154000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] advapi32.DLL!InitiateSystemShutdownW 7650DC55 6 Bytes JMP 7163000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] advapi32.DLL!InitiateSystemShutdownExW 7650DD22 6 Bytes JMP 715D000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] advapi32.DLL!InitiateSystemShutdownA 7650DDF7 6 Bytes JMP 7166000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] advapi32.DLL!InitiateSystemShutdownExA 7650DE9E 6 Bytes JMP 7160000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] user32.DLL!RegisterHotKey 7662AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[4140] user32.DLL!RegisterHotKey + 4 7662AA1D 2 Bytes [4A, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[4140] user32.DLL!ExitWindowsEx 766706C7 6 Bytes JMP 7169000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] user32.DLL!DdeClientTransaction 7668323C 6 Bytes JMP 714E000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] GDI32.dll!DeleteDC 77146EAA 6 Bytes JMP 7142000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 713F000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] GDI32.dll!CreateDCA 7714CCA9 6 Bytes JMP 7148000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] GDI32.dll!CreateDCW 7714CF79 6 Bytes JMP 7145000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] shlwapi.DLL!SHRegGetUSValueW 76B8252D 5 Bytes JMP 03184E90 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ole32.dll!CoGetClassObject 756854AD 5 Bytes JMP 031B2E40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] shell32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7172000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] shell32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 717B000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] shell32.dll!SHFileOperationW 75809700 6 Bytes JMP 031B2DF0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] shell32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 031846D0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] shell32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7175000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] WS2_32.dll!ioctlsocket 76BD3084 6 Bytes JMP 711E000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] WS2_32.dll!sendto 76BD34B5 6 Bytes JMP 7124000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] WS2_32.dll!closesocket 76BD3918 6 Bytes JMP 031B2B00 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] WS2_32.dll!socket 76BD3EB8 6 Bytes JMP 716F000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] WS2_32.dll!WSASend 76BD4406 5 Bytes JMP 03181650 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] WS2_32.dll!select 76BD6989 6 Bytes JMP 7121000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] WS2_32.dll!recv 76BD6B0E 6 Bytes JMP 031B2AD0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] WS2_32.dll!connect 76BD6BDD 6 Bytes JMP 712D000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] WS2_32.dll!send 76BD6F01 6 Bytes JMP 03181470 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] WS2_32.dll!WSARecv 76BD7089 6 Bytes JMP 031B2A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] WS2_32.dll!WSAGetOverlappedResult 76BD7489 6 Bytes JMP 031B2A40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] WS2_32.dll!WSAAsyncSelect 76BEB014 6 Bytes JMP 711B000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] IPHLPAPI.DLL!IcmpSendEcho2Ex 7250843C 6 Bytes JMP 7157000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] IPHLPAPI.DLL!IcmpSendEcho2 7250873B 6 Bytes JMP 715A000A .text C:\Program Files\Internet Explorer\iexplore.exe[4140] WININET.dll!HttpOpenRequestW 76D19A50 5 Bytes JMP 03182F70 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] WININET.dll!InternetConnectW 76D1C8E0 5 Bytes JMP 03183010 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] WININET.dll!HttpOpenRequestA 76D9A450 5 Bytes JMP 03182E40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] WININET.dll!InternetOpenUrlA 76DE9610 5 Bytes JMP 031830B0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4140] WININET.dll!InternetOpenUrlW 76DEA0D0 5 Bytes JMP 031831E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ntdll.dll!NtAcceptConnectPort 771D51E8 3 Bytes [FF, 25, 1E] .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ntdll.dll!NtAcceptConnectPort + 4 771D51EC 2 Bytes [32, 71] .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [7F, 71] {JG 0x73} .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ntdll.dll!NtCreateSymbolicLinkObject 771D5748 3 Bytes [FF, 25, 1E] .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ntdll.dll!NtCreateSymbolicLinkObject + 4 771D574C 2 Bytes [35, 71] .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [7B, 71] {JNP 0x73} .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [77, 71] {JA 0x73} .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [74, 71] {JZ 0x73} .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [71, 71] {JNO 0x73} .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A4000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A1000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7195000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7192000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] kernel32.dll!LoadLibraryA 76C5DD15 6 Bytes JMP 713C000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] kernel32.dll!LoadLibraryW 76C5EFF2 6 Bytes JMP 7139000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 718F000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] GDI32.dll!DeleteDC 77146EAA 6 Bytes JMP 7142000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 713F000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] GDI32.dll!CreateDCA 7714CCA9 6 Bytes JMP 7148000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] GDI32.dll!CreateDCW 7714CF79 6 Bytes JMP 7145000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] USER32.dll!RegisterHotKey 7662AA19 3 Bytes [FF, 25, 1E] .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] USER32.dll!RegisterHotKey + 4 7662AA1D 2 Bytes [4A, 71] .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] USER32.dll!ExitWindowsEx 766706C7 6 Bytes JMP 7169000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] USER32.dll!DdeClientTransaction 7668323C 6 Bytes JMP 714E000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] WS2_32.dll!socket 76BD3EB8 6 Bytes JMP 716F000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ADVAPI32.dll!CreateServiceW 764D70C4 6 Bytes JMP 7151000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ADVAPI32.dll!CreateServiceA 764F3264 6 Bytes JMP 7154000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ADVAPI32.dll!InitiateSystemShutdownW 7650DC55 6 Bytes JMP 7163000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ADVAPI32.dll!InitiateSystemShutdownExW 7650DD22 6 Bytes JMP 715D000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ADVAPI32.dll!InitiateSystemShutdownA 7650DDF7 6 Bytes JMP 7166000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ADVAPI32.dll!InitiateSystemShutdownExA 7650DE9E 6 Bytes JMP 7160000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] SHELL32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7183000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] SHELL32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 718C000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] SHELL32.dll!SHFileOperationW 75809700 6 Bytes JMP 7198000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] SHELL32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7189000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] SHELL32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7186000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] IPHLPAPI.DLL!IcmpSendEcho2Ex 7250843C 6 Bytes JMP 7157000A .text E:\PROGRAMY\PROGRAMY PORTABLE\ADMIN\PROCESSEXPLORER\PROCEXP.EXE[4196] IPHLPAPI.DLL!IcmpSendEcho2 7250873B 6 Bytes JMP 715A000A .text C:\FIXITPC\vgii8zji.exe[5988] ntdll.dll!NtCreateFile 771D5608 3 Bytes [FF, 25, 1E] .text C:\FIXITPC\vgii8zji.exe[5988] ntdll.dll!NtCreateFile + 4 771D560C 2 Bytes [8E, 71] .text C:\FIXITPC\vgii8zji.exe[5988] ntdll.dll!NtCreateSymbolicLinkObject 771D5748 3 Bytes [FF, 25, 1E] .text C:\FIXITPC\vgii8zji.exe[5988] ntdll.dll!NtCreateSymbolicLinkObject + 4 771D574C 2 Bytes [2E, 71] .text C:\FIXITPC\vgii8zji.exe[5988] ntdll.dll!NtOpenFile 771D5D18 3 Bytes [FF, 25, 1E] .text C:\FIXITPC\vgii8zji.exe[5988] ntdll.dll!NtOpenFile + 4 771D5D1C 2 Bytes [8A, 71] .text C:\FIXITPC\vgii8zji.exe[5988] ntdll.dll!NtProtectVirtualMemory 771D5F58 3 Bytes [FF, 25, 1E] .text C:\FIXITPC\vgii8zji.exe[5988] ntdll.dll!NtProtectVirtualMemory + 4 771D5F5C 2 Bytes [28, 71] .text C:\FIXITPC\vgii8zji.exe[5988] ntdll.dll!NtQueryAttributesFile 771D5F78 3 Bytes [FF, 25, 1E] .text C:\FIXITPC\vgii8zji.exe[5988] ntdll.dll!NtQueryAttributesFile + 4 771D5F7C 2 Bytes [86, 71] .text C:\FIXITPC\vgii8zji.exe[5988] ntdll.dll!NtQueryFullAttributesFile 771D6028 3 Bytes [FF, 25, 1E] .text C:\FIXITPC\vgii8zji.exe[5988] ntdll.dll!NtQueryFullAttributesFile + 4 771D602C 2 Bytes [83, 71] .text C:\FIXITPC\vgii8zji.exe[5988] ntdll.dll!NtSetInformationFile 771D6678 3 Bytes [FF, 25, 1E] .text C:\FIXITPC\vgii8zji.exe[5988] ntdll.dll!NtSetInformationFile + 4 771D667C 2 Bytes [80, 71] .text C:\FIXITPC\vgii8zji.exe[5988] ntdll.dll!NtWriteVirtualMemory 771D6AD8 3 Bytes [FF, 25, 1E] .text C:\FIXITPC\vgii8zji.exe[5988] ntdll.dll!NtWriteVirtualMemory + 4 771D6ADC 2 Bytes [22, 71] .text C:\FIXITPC\vgii8zji.exe[5988] ntdll.dll!LdrLoadDll 771F22AE 6 Bytes JMP 71AE000A .text C:\FIXITPC\vgii8zji.exe[5988] kernel32.dll!CreateProcessW 76C1204D 6 Bytes JMP 71A4000A .text C:\FIXITPC\vgii8zji.exe[5988] kernel32.dll!CreateProcessA 76C12082 6 Bytes JMP 71A1000A .text C:\FIXITPC\vgii8zji.exe[5988] kernel32.dll!CopyFileExW 76C4B348 6 Bytes JMP 7198000A .text C:\FIXITPC\vgii8zji.exe[5988] kernel32.dll!MoveFileExW 76C58EC0 6 Bytes JMP 7195000A .text C:\FIXITPC\vgii8zji.exe[5988] kernel32.dll!LoadLibraryA 76C5DD15 6 Bytes JMP 7135000A .text C:\FIXITPC\vgii8zji.exe[5988] kernel32.dll!LoadLibraryW 76C5EFF2 6 Bytes JMP 7132000A .text C:\FIXITPC\vgii8zji.exe[5988] kernel32.dll!MoveFileW 76C76F8E 6 Bytes JMP 7192000A .text C:\FIXITPC\vgii8zji.exe[5988] kernel32.dll!WriteProcessMemory 76C79657 6 Bytes JMP 7126000A .text C:\FIXITPC\vgii8zji.exe[5988] kernel32.dll!VirtualProtectEx 76CA0269 6 Bytes JMP 712C000A .text C:\FIXITPC\vgii8zji.exe[5988] USER32.dll!RegisterHotKey 7662AA19 3 Bytes [FF, 25, 1E] .text C:\FIXITPC\vgii8zji.exe[5988] USER32.dll!RegisterHotKey + 4 7662AA1D 2 Bytes [43, 71] .text C:\FIXITPC\vgii8zji.exe[5988] USER32.dll!ExitWindowsEx 766706C7 6 Bytes JMP 7169000A .text C:\FIXITPC\vgii8zji.exe[5988] USER32.dll!DdeClientTransaction 7668323C 6 Bytes JMP 7147000A .text C:\FIXITPC\vgii8zji.exe[5988] GDI32.dll!DeleteDC 77146EAA 6 Bytes JMP 713B000A .text C:\FIXITPC\vgii8zji.exe[5988] GDI32.dll!BitBlt 771472C0 6 Bytes JMP 7138000A .text C:\FIXITPC\vgii8zji.exe[5988] GDI32.dll!CreateDCA 7714CCA9 6 Bytes JMP 7141000A .text C:\FIXITPC\vgii8zji.exe[5988] GDI32.dll!CreateDCW 7714CF79 6 Bytes JMP 713E000A .text C:\FIXITPC\vgii8zji.exe[5988] ADVAPI32.dll!CreateProcessAsUserW 764BC532 6 Bytes JMP 719E000A .text C:\FIXITPC\vgii8zji.exe[5988] ADVAPI32.dll!CreateServiceW 764D70C4 6 Bytes JMP 714A000A .text C:\FIXITPC\vgii8zji.exe[5988] ADVAPI32.dll!CreateProcessAsUserA 764F2642 6 Bytes JMP 719B000A .text C:\FIXITPC\vgii8zji.exe[5988] ADVAPI32.dll!CreateServiceA 764F3264 6 Bytes JMP 714D000A .text C:\FIXITPC\vgii8zji.exe[5988] ADVAPI32.dll!InitiateSystemShutdownW 7650DC55 6 Bytes JMP 7163000A .text C:\FIXITPC\vgii8zji.exe[5988] ADVAPI32.dll!InitiateSystemShutdownExW 7650DD22 6 Bytes JMP 715D000A .text C:\FIXITPC\vgii8zji.exe[5988] ADVAPI32.dll!InitiateSystemShutdownA 7650DDF7 6 Bytes JMP 7166000A .text C:\FIXITPC\vgii8zji.exe[5988] ADVAPI32.dll!InitiateSystemShutdownExA 7650DE9E 6 Bytes JMP 7160000A .text C:\FIXITPC\vgii8zji.exe[5988] ole32.dll!CoGetClassObject 756854AD 6 Bytes JMP 7150000A .text C:\FIXITPC\vgii8zji.exe[5988] ole32.dll!CoCreateInstance 75699D0B 6 Bytes JMP 71A7000A .text C:\FIXITPC\vgii8zji.exe[5988] ole32.dll!CoCreateInstanceEx 75699D4E 6 Bytes JMP 7153000A .text C:\FIXITPC\vgii8zji.exe[5988] shell32.dll!ShellExecuteW 757C3C39 6 Bytes JMP 7172000A .text C:\FIXITPC\vgii8zji.exe[5988] shell32.dll!ShellExecuteExW 757D1E06 6 Bytes JMP 717B000A .text C:\FIXITPC\vgii8zji.exe[5988] shell32.dll!SHFileOperationW 75809700 6 Bytes JMP 717E000A .text C:\FIXITPC\vgii8zji.exe[5988] shell32.dll!ShellExecuteEx 759F767A 6 Bytes JMP 7178000A .text C:\FIXITPC\vgii8zji.exe[5988] shell32.dll!ShellExecuteA 759F7715 6 Bytes JMP 7175000A .text C:\FIXITPC\vgii8zji.exe[5988] WS2_32.dll!ioctlsocket 76BD3084 6 Bytes JMP 710E000A .text C:\FIXITPC\vgii8zji.exe[5988] WS2_32.dll!sendto 76BD34B5 6 Bytes JMP 7114000A .text C:\FIXITPC\vgii8zji.exe[5988] WS2_32.dll!closesocket 76BD3918 6 Bytes JMP 7120000A .text C:\FIXITPC\vgii8zji.exe[5988] WS2_32.dll!socket 76BD3EB8 6 Bytes JMP 716F000A .text C:\FIXITPC\vgii8zji.exe[5988] WS2_32.dll!WSASend 76BD4406 6 Bytes JMP 70FF000A .text C:\FIXITPC\vgii8zji.exe[5988] WS2_32.dll!select 76BD6989 6 Bytes JMP 7111000A .text C:\FIXITPC\vgii8zji.exe[5988] WS2_32.dll!recv 76BD6B0E 6 Bytes JMP 7106000A .text C:\FIXITPC\vgii8zji.exe[5988] WS2_32.dll!connect 76BD6BDD 6 Bytes JMP 711D000A .text C:\FIXITPC\vgii8zji.exe[5988] WS2_32.dll!send 76BD6F01 6 Bytes JMP 7117000A .text C:\FIXITPC\vgii8zji.exe[5988] WS2_32.dll!WSARecv 76BD7089 6 Bytes JMP 7102000A .text C:\FIXITPC\vgii8zji.exe[5988] WS2_32.dll!WSAGetOverlappedResult 76BD7489 6 Bytes JMP 70F9000A .text C:\FIXITPC\vgii8zji.exe[5988] WS2_32.dll!WSAAsyncSelect 76BEB014 6 Bytes JMP 710B000A .text C:\FIXITPC\vgii8zji.exe[5988] IPHLPAPI.DLL!IcmpSendEcho2Ex 7250843C 6 Bytes JMP 7157000A .text C:\FIXITPC\vgii8zji.exe[5988] IPHLPAPI.DLL!IcmpSendEcho2 7250873B 6 Bytes JMP 715A000A ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs kisknl.sys Device \Driver\RLMUPFLT \Device\RLMUPFLT fltmgr.sys Device \Driver\tdx \Device\Tcp OAmon.sys Device \Driver\tdx \Device\RawIp6 OAmon.sys Device \Driver\tdx \Device\Tcp6 OAmon.sys Device \Driver\tdx \Device\Tdx OAmon.sys Device \Driver\tdx \Device\Udp OAmon.sys Device \Driver\tdx \Device\RawIp OAmon.sys Device \Driver\tdx \Device\Udp6 OAmon.sys Device \Driver\TrustwareBzHookDrv \Device\TrustwareBzHookDrv BzHookDrv32.sys ---- Files - GMER 2.1 ---- File C:\Users\rambo\AppData\Local\Mozilla\Firefox\Profiles\si0vca03.default\cache2\entries\9A3472020C50E3E5F08DADD85B5F7B9B5765A795 2450 bytes File C:\Users\rambo\AppData\Local\Mozilla\Firefox\Profiles\si0vca03.default\cache2\entries\026B6881B0F111D52212C34DAECC00B57105986E 0 bytes File C:\Users\rambo\AppData\Local\Mozilla\Firefox\Profiles\si0vca03.default\cache2\entries\125ACD003B6C4B7563DE72EE85C7EF1AFE67BBD6 2714 bytes File C:\Users\rambo\AppData\Local\Mozilla\Firefox\Profiles\si0vca03.default\cache2\entries\86A6CB1A98BF0BD66663A105F3FFDE84D37568CF 3645 bytes File C:\Users\rambo\AppData\Local\Mozilla\Firefox\Profiles\si0vca03.default\cache2\entries\3CE3401F3641733B3B207BD620676C5956C2E50A 1339 bytes File C:\Users\rambo\AppData\Local\Mozilla\Firefox\Profiles\si0vca03.default\cache2\entries\FC405280DE5B956F8E574C651D9A277A05A2C65F 0 bytes File C:\Users\rambo\AppData\Local\Mozilla\Firefox\Profiles\si0vca03.default\cache2\entries\D6212A78EB9B3B742C16B7BEDFF09D910C79FF3C 0 bytes File C:\Users\rambo\AppData\Local\Mozilla\Firefox\Profiles\si0vca03.default\cache2\entries\F568FA8850E0FE88B0C54C364AFC70F5F609540B 0 bytes File C:\Users\rambo\AppData\Local\Mozilla\Firefox\Profiles\si0vca03.default\cache2\entries\DAFE3DE28962CADA5873A9F6684079F90FA0EDCF 0 bytes File C:\Users\rambo\AppData\Local\Mozilla\Firefox\Profiles\si0vca03.default\cache2\entries\4985B81E7BC26A54EFACC62D3BC136356070B5DF 0 bytes ---- EOF - GMER 2.1 ----