GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-30 19:42:55 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST340014A rev.8.10 Running: i7rziq3g.exe; Driver: C:\DOCUME~1\UZYTKO~1\USTAWI~1\Temp\kgwirkod.sys ---- System - GMER 1.0.15 ---- SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF9937514] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF9926282] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF9926474] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF9937D00] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF9937FB8] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF99363FA] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF9938422] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF99377D8] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF9925F32] ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\Drivers\mchInjDrv.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Spyware Doctor\pctsSvc.exe[188] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044AD11 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools) .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F00001 .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe[336] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[428] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 04540001 .text C:\Program Files\Spyware Doctor\pctsTray.exe[428] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044AB89 C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools) .text C:\Program Files\Spyware Doctor\pctsTray.exe[428] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[428] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F040F5A .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01160001 .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[448] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 1 Byte [C3] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 04D90001 .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[504] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[608] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\system32\csrss.exe[608] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01460001 .text C:\WINDOWS\system32\csrss.exe[608] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\system32\csrss.exe[608] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[632] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\system32\winlogon.exe[632] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 015B0001 .text C:\WINDOWS\system32\winlogon.exe[632] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\system32\winlogon.exe[632] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[676] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\system32\services.exe[676] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D30001 .text C:\WINDOWS\system32\services.exe[676] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\system32\services.exe[676] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[712] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01250001 .text C:\WINDOWS\system32\lsass.exe[712] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\system32\lsass.exe[712] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E20001 .text C:\WINDOWS\system32\svchost.exe[920] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\system32\svchost.exe[920] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C30001 .text C:\WINDOWS\system32\svchost.exe[1040] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\system32\svchost.exe[1040] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02B70001 .text C:\WINDOWS\System32\svchost.exe[1136] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\System32\svchost.exe[1136] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AB0001 .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A10001 .text C:\WINDOWS\system32\svchost.exe[1352] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\system32\svchost.exe[1352] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1484] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E30001 .text C:\WINDOWS\system32\spoolsv.exe[1484] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\system32\spoolsv.exe[1484] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1668] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\system32\svchost.exe[1668] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EE0001 .text C:\WINDOWS\system32\svchost.exe[1668] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\system32\svchost.exe[1668] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\WgaTray.exe[1704] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\system32\WgaTray.exe[1704] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F20001 .text C:\WINDOWS\system32\WgaTray.exe[1704] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\system32\WgaTray.exe[1704] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\system32\svchost.exe[1800] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00980001 .text C:\WINDOWS\system32\svchost.exe[1800] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\system32\svchost.exe[1800] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\Explorer.EXE[1816] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01570001 .text C:\WINDOWS\Explorer.EXE[1816] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\Explorer.EXE[1816] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FA0001 .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe[1836] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cisvc.exe[1848] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\system32\cisvc.exe[1848] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CA0001 .text C:\WINDOWS\system32\cisvc.exe[1848] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\system32\cisvc.exe[1848] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01E60001 .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\Program Files\Java\jre6\bin\jqs.exe[1888] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00790001 .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[2020] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3012] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\System32\alg.exe[3012] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 008D0001 .text C:\WINDOWS\System32\alg.exe[3012] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text C:\WINDOWS\System32\alg.exe[3012] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\System32\alg.exe[3012] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text D:\Mozilla Firefox\firefox.exe[3040] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0040131F D:\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text D:\Mozilla Firefox\firefox.exe[3040] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 010B0001 .text D:\Mozilla Firefox\firefox.exe[3040] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text D:\Mozilla Firefox\firefox.exe[3040] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text D:\Mozilla Firefox\firefox.exe[3040] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[3060] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\system32\wuauclt.exe[3060] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B50001 .text C:\WINDOWS\system32\wuauclt.exe[3060] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text C:\WINDOWS\system32\wuauclt.exe[3060] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\system32\wuauclt.exe[3060] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text D:\Pobieranie\i7rziq3g.exe[3164] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text D:\Pobieranie\i7rziq3g.exe[3164] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BC0001 .text D:\Pobieranie\i7rziq3g.exe[3164] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text D:\Pobieranie\i7rziq3g.exe[3164] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text D:\Pobieranie\i7rziq3g.exe[3164] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cidaemon.exe[3608] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text C:\WINDOWS\system32\cidaemon.exe[3608] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B90001 .text C:\WINDOWS\system32\cidaemon.exe[3608] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text C:\WINDOWS\system32\cidaemon.exe[3608] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text C:\WINDOWS\system32\cidaemon.exe[3608] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text D:\Mozilla Firefox\plugin-container.exe[3928] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text D:\Mozilla Firefox\plugin-container.exe[3928] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FD0001 .text D:\Mozilla Firefox\plugin-container.exe[3928] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text D:\Mozilla Firefox\plugin-container.exe[3928] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text D:\Mozilla Firefox\plugin-container.exe[3928] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A .text D:\Mozilla Firefox\plugin-container.exe[3928] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 105D69A2 D:\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI} .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f} .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E] .text D:\Akcesoria\wtw.exe[4020] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F] .text D:\Akcesoria\wtw.exe[4020] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01730001 .text D:\Akcesoria\wtw.exe[4020] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text D:\Akcesoria\wtw.exe[4020] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F320F5A .text D:\Akcesoria\wtw.exe[4020] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F2E0F5A ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs fsfilter.sys (F-Secure File System Filter/F-Secure Corporation) ---- EOF - GMER 1.0.15 ----