GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-08-06 13:55:14 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-e MAXTOR_STM3250310AS rev.4.AAA Running: vwimp56w.exe; Driver: C:\DOCUME~1\DAMIAN~1\USTAWI~1\Temp\agkdqfod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xB49D1610] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF7A40D72] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF7A219A6] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF7A21B98] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xB49D1C10] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF7A41568] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF7A41820] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xB49D1730] SSDT spgv.sys ZwEnumerateKey [0xF74FCDA4] SSDT spgv.sys ZwEnumerateValueKey [0xF74FD132] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF7A3FA80] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xB49D14B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xB49D1570] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xB49D16D0] SSDT spgv.sys ZwQueryKey [0xF74FD20A] SSDT spgv.sys ZwQueryValueKey [0xF74FD08A] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xB49D1790] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF7A41C8A] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xB49D1690] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xB49D1650] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xB49D17D0] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF7A41036] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xB49D1510] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xB49D1590] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF7A21656] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xB49D15D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xB49D1750] INT 0x62 ? 89BA0BF8 INT 0x63 ? 89BA0BF8 INT 0x63 ? 89BA0BF8 INT 0x63 ? 897F6BF8 INT 0x63 ? 89BA0BF8 INT 0x82 ? 89BA0BF8 INT 0x83 ? 897F6BF8 INT 0xA4 ? 897F6BF8 INT 0xB4 ? 897F6BF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spgv.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB726D3A0, 0x88C445, 0xE8000020] .text USBPORT.SYS!DllUnload B72258AC 5 Bytes JMP 897F61D8 .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA58C8300, 0x3B6D8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB70C4300, 0x1BEE, 0xE8000020] ? C:\WINDOWS\system32\Drivers\mchInjDrv.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [62, 5F] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C10001 .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F970F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F640F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F820F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F670F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F880F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F850F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F760F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F6A0F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F6D0F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\WINDOWS\system32\nvsvc32.exe[212] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F790F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F700F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F5E0F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[212] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\nvsvc32.exe[212] SHELL32.dll!ShellExecuteExW 7CA02F03 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] SHELL32.dll!ShellExecuteEx 7CA40E25 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] SHELL32.dll!ShellExecuteA 7CA41150 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\nvsvc32.exe[212] SHELL32.dll!ShellExecuteW 7CAB5BF0 6 Bytes JMP 5F520F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [62, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00790001 .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5FA60F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F7F0F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F400F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F970F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F8E0F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F640F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F820F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F670F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F5B0F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F940F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F880F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F850F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F8B0F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F9D0F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F340F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F760F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F460F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F6A0F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F6D0F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F430F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F790F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5FA00F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F700F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F5E0F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] SHELL32.dll!ShellExecuteExW 7CA02F03 6 Bytes JMP 5F580F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] SHELL32.dll!ShellExecuteEx 7CA40E25 6 Bytes JMP 5F550F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] SHELL32.dll!ShellExecuteA 7CA41150 6 Bytes JMP 5F4F0F5A .text C:\Program Files\Spyware Doctor\pctsAuxs.exe[300] SHELL32.dll!ShellExecuteW 7CAB5BF0 6 Bytes JMP 5F520F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [4C, 5F] {DEC ESP; POP EDI} .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [3A, 5F] .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F690F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F720F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F130F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F100F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F220F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5F7E0F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F570F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F160F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [05, 5F] .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F6F0F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes CALL 0044AD11 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools) .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F660F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F3C0F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F5A0F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F3F0F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F330F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F6C0F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F600F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F5D0F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F630F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F750F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F4E0F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F420F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F450F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [7C, 5F] {JL 0x61} .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F190F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F510F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5F780F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F480F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F360F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [55, 5F] {PUSH EBP; POP EDI} .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] shell32.dll!ShellExecuteExW 7CA02F03 6 Bytes JMP 5F300F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] shell32.dll!ShellExecuteEx 7CA40E25 6 Bytes JMP 5F2D0F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] shell32.dll!ShellExecuteA 7CA41150 6 Bytes JMP 5F250F5A .text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] shell32.dll!ShellExecuteW 7CAB5BF0 6 Bytes JMP 5F2A0F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [4C, 5F] {DEC ESP; POP EDI} .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [3A, 5F] .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F690F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F720F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F130F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F100F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F220F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F1F0F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5F7E0F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F570F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F160F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [05, 5F] .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F6F0F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes CALL 0044ACCD C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools) .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F660F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F3C0F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F5A0F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F3F0F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F330F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F6C0F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F600F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F5D0F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F630F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F750F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F4E0F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F1C0F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F420F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F450F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [7C, 5F] {JL 0x61} .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F190F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F510F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5F780F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F480F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F360F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [55, 5F] {PUSH EBP; POP EDI} .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] shell32.dll!ShellExecuteExW 7CA02F03 6 Bytes JMP 5F300F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] shell32.dll!ShellExecuteEx 7CA40E25 6 Bytes JMP 5F2D0F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] shell32.dll!ShellExecuteA 7CA41150 6 Bytes JMP 5F250F5A .text C:\Program Files\Spyware Doctor\pctsTray.exe[744] shell32.dll!ShellExecuteW 7CAB5BF0 6 Bytes JMP 5F2A0F5A .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [62, 5F] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00ED0001 .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F970F5A .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F640F5A .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F820F5A .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F670F5A .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\svchost.exe[752] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F880F5A .text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F850F5A .text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\svchost.exe[752] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F760F5A .text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F6A0F5A .text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F6D0F5A .text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F790F5A .text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F700F5A .text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F5E0F5A .text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\svchost.exe[752] SHELL32.dll!ShellExecuteExW 7CA02F03 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\svchost.exe[752] SHELL32.dll!ShellExecuteEx 7CA40E25 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\svchost.exe[752] SHELL32.dll!ShellExecuteA 7CA41150 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\svchost.exe[752] SHELL32.dll!ShellExecuteW 7CAB5BF0 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\WINDOWS\system32\csrss.exe[864] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01400001 .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\WINDOWS\system32\winlogon.exe[892] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\winlogon.exe[892] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\winlogon.exe[892] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\winlogon.exe[892] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01B10001 .text C:\WINDOWS\system32\winlogon.exe[892] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\winlogon.exe[892] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\winlogon.exe[892] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\winlogon.exe[892] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\winlogon.exe[892] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\winlogon.exe[892] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\winlogon.exe[892] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\winlogon.exe[892] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\winlogon.exe[892] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\winlogon.exe[892] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\winlogon.exe[892] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[892] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\WINDOWS\system32\winlogon.exe[892] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [68, 5F] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F850F5A .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EB0001 .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5F9A0F5A .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F730F5A .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F820F5A .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F760F5A .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F880F5A .text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F7C0F5A .text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F790F5A .text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\services.exe[936] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F6A0F5A .text C:\WINDOWS\system32\services.exe[936] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\services.exe[936] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F5E0F5A .text C:\WINDOWS\system32\services.exe[936] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F610F5A .text C:\WINDOWS\system32\services.exe[936] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\WINDOWS\system32\services.exe[936] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\services.exe[936] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F6D0F5A .text C:\WINDOWS\system32\services.exe[936] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\services.exe[936] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F640F5A .text C:\WINDOWS\system32\services.exe[936] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\services.exe[936] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[936] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [71, 5F] {JNO 0x61} .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [62, 5F] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E20001 .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F970F5A .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F640F5A .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F820F5A .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F670F5A .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F880F5A .text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F850F5A .text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\lsass.exe[948] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F760F5A .text C:\WINDOWS\system32\lsass.exe[948] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\lsass.exe[948] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F6A0F5A .text C:\WINDOWS\system32\lsass.exe[948] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F6D0F5A .text C:\WINDOWS\system32\lsass.exe[948] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\WINDOWS\system32\lsass.exe[948] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\lsass.exe[948] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F790F5A .text C:\WINDOWS\system32\lsass.exe[948] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\lsass.exe[948] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F700F5A .text C:\WINDOWS\system32\lsass.exe[948] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F5E0F5A .text C:\WINDOWS\system32\lsass.exe[948] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[948] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\lsass.exe[948] SHELL32.dll!ShellExecuteExW 7CA02F03 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\lsass.exe[948] SHELL32.dll!ShellExecuteEx 7CA40E25 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\lsass.exe[948] SHELL32.dll!ShellExecuteA 7CA41150 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\lsass.exe[948] SHELL32.dll!ShellExecuteW 7CAB5BF0 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [62, 5F] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E10001 .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F970F5A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F640F5A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F820F5A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F670F5A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F880F5A .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F850F5A .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\svchost.exe[1160] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F760F5A .text C:\WINDOWS\system32\svchost.exe[1160] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\svchost.exe[1160] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F6A0F5A .text C:\WINDOWS\system32\svchost.exe[1160] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F6D0F5A .text C:\WINDOWS\system32\svchost.exe[1160] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1160] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\svchost.exe[1160] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F790F5A .text C:\WINDOWS\system32\svchost.exe[1160] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\svchost.exe[1160] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F700F5A .text C:\WINDOWS\system32\svchost.exe[1160] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F5E0F5A .text C:\WINDOWS\system32\svchost.exe[1160] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1160] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\svchost.exe[1160] SHELL32.dll!ShellExecuteExW 7CA02F03 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\svchost.exe[1160] SHELL32.dll!ShellExecuteEx 7CA40E25 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\svchost.exe[1160] SHELL32.dll!ShellExecuteA 7CA41150 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\svchost.exe[1160] SHELL32.dll!ShellExecuteW 7CAB5BF0 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [62, 5F] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FD0001 .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F970F5A .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F640F5A .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F820F5A .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F670F5A .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F880F5A .text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F850F5A .text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F760F5A .text C:\WINDOWS\system32\svchost.exe[1228] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\svchost.exe[1228] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F6A0F5A .text C:\WINDOWS\system32\svchost.exe[1228] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F6D0F5A .text C:\WINDOWS\system32\svchost.exe[1228] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1228] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\svchost.exe[1228] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F790F5A .text C:\WINDOWS\system32\svchost.exe[1228] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\svchost.exe[1228] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F700F5A .text C:\WINDOWS\system32\svchost.exe[1228] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F5E0F5A .text C:\WINDOWS\system32\svchost.exe[1228] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1228] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\svchost.exe[1228] SHELL32.dll!ShellExecuteExW 7CA02F03 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\svchost.exe[1228] SHELL32.dll!ShellExecuteEx 7CA40E25 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\svchost.exe[1228] SHELL32.dll!ShellExecuteA 7CA41150 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\svchost.exe[1228] SHELL32.dll!ShellExecuteW 7CAB5BF0 6 Bytes JMP 5F520F5A .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [62, 5F] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02F90001 .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F400F5A .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F970F5A .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F640F5A .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F820F5A .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F670F5A .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F940F5A .text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F880F5A .text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F850F5A .text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F340F5A .text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F760F5A .text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F460F5A .text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F6A0F5A .text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F6D0F5A .text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F430F5A .text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F790F5A .text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F700F5A .text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F5E0F5A .text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1316] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\System32\svchost.exe[1316] SHELL32.dll!ShellExecuteExW 7CA02F03 6 Bytes JMP 5F580F5A .text C:\WINDOWS\System32\svchost.exe[1316] SHELL32.dll!ShellExecuteEx 7CA40E25 6 Bytes JMP 5F550F5A .text C:\WINDOWS\System32\svchost.exe[1316] SHELL32.dll!ShellExecuteA 7CA41150 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\System32\svchost.exe[1316] SHELL32.dll!ShellExecuteW 7CAB5BF0 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [62, 5F] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006A0001 .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F970F5A .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F640F5A .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F820F5A .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F670F5A .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F880F5A .text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F850F5A .text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\svchost.exe[1356] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F760F5A .text C:\WINDOWS\system32\svchost.exe[1356] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\svchost.exe[1356] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F6A0F5A .text C:\WINDOWS\system32\svchost.exe[1356] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F6D0F5A .text C:\WINDOWS\system32\svchost.exe[1356] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1356] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\svchost.exe[1356] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F790F5A .text C:\WINDOWS\system32\svchost.exe[1356] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\svchost.exe[1356] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F700F5A .text C:\WINDOWS\system32\svchost.exe[1356] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F5E0F5A .text C:\WINDOWS\system32\svchost.exe[1356] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1356] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\svchost.exe[1356] SHELL32.dll!ShellExecuteExW 7CA02F03 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\svchost.exe[1356] SHELL32.dll!ShellExecuteEx 7CA40E25 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\svchost.exe[1356] SHELL32.dll!ShellExecuteA 7CA41150 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\svchost.exe[1356] SHELL32.dll!ShellExecuteW 7CAB5BF0 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [62, 5F] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F50001 .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F970F5A .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F640F5A .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F820F5A .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F670F5A .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F880F5A .text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F850F5A .text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\svchost.exe[1508] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F760F5A .text C:\WINDOWS\system32\svchost.exe[1508] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\svchost.exe[1508] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F6A0F5A .text C:\WINDOWS\system32\svchost.exe[1508] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F6D0F5A .text C:\WINDOWS\system32\svchost.exe[1508] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1508] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\svchost.exe[1508] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F790F5A .text C:\WINDOWS\system32\svchost.exe[1508] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\svchost.exe[1508] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F700F5A .text C:\WINDOWS\system32\svchost.exe[1508] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F5E0F5A .text C:\WINDOWS\system32\svchost.exe[1508] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1508] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\svchost.exe[1508] SHELL32.dll!ShellExecuteExW 7CA02F03 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\svchost.exe[1508] SHELL32.dll!ShellExecuteEx 7CA40E25 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\svchost.exe[1508] SHELL32.dll!ShellExecuteA 7CA41150 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\svchost.exe[1508] SHELL32.dll!ShellExecuteW 7CAB5BF0 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [62, 5F] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D40001 .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F970F5A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F640F5A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F820F5A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F670F5A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F880F5A .text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F850F5A .text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F760F5A .text C:\WINDOWS\system32\svchost.exe[1620] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\svchost.exe[1620] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F6A0F5A .text C:\WINDOWS\system32\svchost.exe[1620] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F6D0F5A .text C:\WINDOWS\system32\svchost.exe[1620] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1620] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\svchost.exe[1620] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F790F5A .text C:\WINDOWS\system32\svchost.exe[1620] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\svchost.exe[1620] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F700F5A .text C:\WINDOWS\system32\svchost.exe[1620] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F5E0F5A .text C:\WINDOWS\system32\svchost.exe[1620] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\svchost.exe[1620] SHELL32.dll!ShellExecuteExW 7CA02F03 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\svchost.exe[1620] SHELL32.dll!ShellExecuteEx 7CA40E25 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\svchost.exe[1620] SHELL32.dll!ShellExecuteA 7CA41150 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\svchost.exe[1620] SHELL32.dll!ShellExecuteW 7CAB5BF0 6 Bytes JMP 5F520F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [62, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D50001 .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F400F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F970F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F640F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F820F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F670F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F880F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F850F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F760F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F460F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F6A0F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F6D0F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\WINDOWS\system32\spoolsv.exe[1724] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F430F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F790F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F700F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F5E0F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1724] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\system32\spoolsv.exe[1724] SHELL32.dll!ShellExecuteExW 7CA02F03 6 Bytes JMP 5F580F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] SHELL32.dll!ShellExecuteEx 7CA40E25 6 Bytes JMP 5F550F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] SHELL32.dll!ShellExecuteA 7CA41150 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\system32\spoolsv.exe[1724] SHELL32.dll!ShellExecuteW 7CAB5BF0 6 Bytes JMP 5F520F5A .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [74, 5F] {JZ 0x61} .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [62, 5F] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01710001 .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F400F5A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F970F5A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F640F5A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F820F5A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F670F5A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F940F5A .text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F880F5A .text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F850F5A .text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F340F5A .text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F760F5A .text C:\WINDOWS\Explorer.EXE[1836] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F460F5A .text C:\WINDOWS\Explorer.EXE[1836] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F6A0F5A .text C:\WINDOWS\Explorer.EXE[1836] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F6D0F5A .text C:\WINDOWS\Explorer.EXE[1836] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\WINDOWS\Explorer.EXE[1836] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F430F5A .text C:\WINDOWS\Explorer.EXE[1836] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F790F5A .text C:\WINDOWS\Explorer.EXE[1836] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5FA00F5A .text C:\WINDOWS\Explorer.EXE[1836] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F700F5A .text C:\WINDOWS\Explorer.EXE[1836] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F5E0F5A .text C:\WINDOWS\Explorer.EXE[1836] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [7D, 5F] {JGE 0x61} .text C:\WINDOWS\Explorer.EXE[1836] SHELL32.dll!ShellExecuteExW 7CA02F03 6 Bytes JMP 5F580F5A .text C:\WINDOWS\Explorer.EXE[1836] SHELL32.dll!ShellExecuteEx 7CA40E25 6 Bytes JMP 5F550F5A .text C:\WINDOWS\Explorer.EXE[1836] SHELL32.dll!ShellExecuteA 7CA41150 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\Explorer.EXE[1836] SHELL32.dll!ShellExecuteW 7CAB5BF0 6 Bytes JMP 5F520F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [68, 5F] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [56, 5F] {PUSH ESI; POP EDI} .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F850F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F8E0F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001 .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5F9A0F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F730F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F400F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F8B0F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F820F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F580F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F760F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F5B0F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F4F0F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F880F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F460F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F5E0F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F610F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [98, 5F] {CWDE ; POP EDI} .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F430F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F6D0F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5F940F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F640F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F520F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [71, 5F] {JNO 0x61} .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F7C0F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F790F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F7F0F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F910F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F340F5A .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1872] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F6A0F5A .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1884] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [62, 5F] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 005E0001 .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5FA60F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F7F0F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F400F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F970F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F8E0F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F640F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F820F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F670F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F5B0F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F940F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F460F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F6A0F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F6D0F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F430F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F790F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5FA00F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F700F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F5E0F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F880F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F850F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F8B0F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F9D0F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F340F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F760F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] SHELL32.dll!ShellExecuteExW 7CA02F03 6 Bytes JMP 5F580F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] SHELL32.dll!ShellExecuteEx 7CA40E25 6 Bytes JMP 5F550F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] SHELL32.dll!ShellExecuteA 7CA41150 6 Bytes JMP 5F4F0F5A .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[1972] SHELL32.dll!ShellExecuteW 7CAB5BF0 6 Bytes JMP 5F520F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [2C, 5F] {SUB AL, 0x5f} .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtCreateFile 7C90D090 1 Byte [FF] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtCreateFile 7C90D090 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtCreateFile + 4 7C90D094 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtCreateKey 7C90D0D0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtCreateKey + 4 7C90D0D4 2 Bytes [05, 5F] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [23, 5F] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtDeleteKey 7C90D230 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtDeleteKey + 4 7C90D234 2 Bytes [0B, 5F] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtDeleteValueKey 7C90D250 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtDeleteValueKey + 4 7C90D254 2 Bytes [11, 5F] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [74, 5F] {JZ 0x61} .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtRenameKey 7C90DA40 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtRenameKey + 4 7C90DA44 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtSetInformationFile 7C90DC40 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtSetInformationFile + 4 7C90DC44 2 Bytes [20, 5F] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtSetValueKey 7C90DDB0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtSetValueKey + 4 7C90DDB4 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [62, 5F] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [26, 5F] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtWriteFile 7C90DF60 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtWriteFile + 4 7C90DF64 2 Bytes [1A, 5F] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtWriteFileGather 7C90DF70 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtWriteFileGather + 4 7C90DF74 2 Bytes [1D, 5F] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [29, 5F] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F910F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F9A0F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F310F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006D0001 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F3D0F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F370F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F3A0F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F4C0F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F490F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5FA60F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F7F0F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F400F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [2F, 5F] {DAS ; POP EDI} .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F970F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F8E0F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F640F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F820F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F670F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F5B0F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F940F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F880F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F850F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F8B0F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F9D0F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F340F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F760F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F460F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F6A0F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F6D0F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [A4, 5F] {MOVSB ; POP EDI} .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F430F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F790F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5FA00F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F700F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F5E0F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [7D, 5F] {JGE 0x61} .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] SHELL32.dll!ShellExecuteExW 7CA02F03 6 Bytes JMP 5F580F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] SHELL32.dll!ShellExecuteEx 7CA40E25 6 Bytes JMP 5F550F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] SHELL32.dll!ShellExecuteA 7CA41150 6 Bytes JMP 5F4F0F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2036] SHELL32.dll!ShellExecuteW 7CAB5BF0 6 Bytes JMP 5F520F5A .text C:\WINDOWS\System32\alg.exe[2252] ntdll.dll!NtLoadDriver 7C90D450 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2252] ntdll.dll!NtLoadDriver + 4 7C90D454 2 Bytes [4A, 5F] {DEC EDX; POP EDI} .text C:\WINDOWS\System32\alg.exe[2252] ntdll.dll!NtSuspendProcess 7C90DE10 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2252] ntdll.dll!NtSuspendProcess + 4 7C90DE14 2 Bytes [38, 5F] .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!CreateFileA 7C801A28 6 Bytes JMP 5F670F5A .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!VirtualProtect 7C801AD4 6 Bytes JMP 5F700F5A .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 5F130F5A .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 5F100F5A .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F220F5A .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!LoadResource 7C80A045 6 Bytes JMP 5F7C0F5A .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!GetProcAddress 7C80AE30 6 Bytes JMP 5F550F5A .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!LoadLibraryW 7C80AEDB 6 Bytes JMP 5F160F5A .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!CreateRemoteThread 7C8104BC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!CreateRemoteThread + 4 7C8104C0 2 Bytes [05, 5F] .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!CreateThread 7C8106C7 6 Bytes JMP 5F6D0F5A .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!CreateFileW 7C8107F0 6 Bytes JMP 5F640F5A .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!TerminateThread 7C81CB23 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!GetVolumeInformationA 7C821B8D 6 Bytes JMP 5F580F5A .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!DebugActiveProcess 7C85B02B 6 Bytes JMP 5F3D0F5A .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!WinExec 7C8623AD 6 Bytes JMP 5F310F5A .text C:\WINDOWS\System32\alg.exe[2252] kernel32.dll!CreateToolhelp32Snapshot 7C865B1F 6 Bytes JMP 5F6A0F5A .text C:\WINDOWS\System32\alg.exe[2252] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\System32\alg.exe[2252] USER32.dll!GetKeyState 7E379ED9 6 Bytes JMP 5F400F5A .text C:\WINDOWS\System32\alg.exe[2252] USER32.dll!GetAsyncKeyState 7E37A78F 6 Bytes JMP 5F430F5A .text C:\WINDOWS\System32\alg.exe[2252] USER32.dll!ShowWindow 7E37AF56 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2252] USER32.dll!ShowWindow + 4 7E37AF5A 2 Bytes [7A, 5F] {JP 0x61} .text C:\WINDOWS\System32\alg.exe[2252] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 5F190F5A .text C:\WINDOWS\System32\alg.exe[2252] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 5F4F0F5A .text C:\WINDOWS\System32\alg.exe[2252] USER32.dll!GetWindowTextA 7E38216B 6 Bytes JMP 5F760F5A .text C:\WINDOWS\System32\alg.exe[2252] USER32.dll!DdeConnect 7E3A81C3 6 Bytes JMP 5F460F5A .text C:\WINDOWS\System32\alg.exe[2252] USER32.dll!EndTask 7E3AA0A5 6 Bytes JMP 5F340F5A .text C:\WINDOWS\System32\alg.exe[2252] USER32.dll!RegisterRawInputDevices 7E3BCE0E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2252] USER32.dll!RegisterRawInputDevices + 4 7E3BCE12 2 Bytes [53, 5F] {PUSH EBX; POP EDI} .text C:\WINDOWS\System32\alg.exe[2252] ADVAPI32.dll!RegOpenKeyExA 77DC7842 6 Bytes JMP 5F5E0F5A .text C:\WINDOWS\System32\alg.exe[2252] ADVAPI32.dll!RegCreateKeyExA 77DCE9E4 6 Bytes JMP 5F5B0F5A .text C:\WINDOWS\System32\alg.exe[2252] ADVAPI32.dll!RegSetValueExA 77DCEAD7 6 Bytes JMP 5F610F5A .text C:\WINDOWS\System32\alg.exe[2252] ADVAPI32.dll!OpenSCManagerA 77DE697E 6 Bytes JMP 5F730F5A .text C:\WINDOWS\System32\alg.exe[2252] ADVAPI32.dll!LsaRemoveAccountRights 77E0AC69 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\System32\alg.exe[2252] ADVAPI32.dll!CreateServiceA 77E271E9 6 Bytes JMP 5F4C0F5A .text C:\WINDOWS\System32\alg.exe[2252] SHELL32.dll!ShellExecuteExW 7CA02F03 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\System32\alg.exe[2252] SHELL32.dll!ShellExecuteEx 7CA40E25 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\System32\alg.exe[2252] SHELL32.dll!ShellExecuteA 7CA41150 6 Bytes JMP 5F250F5A .text C:\WINDOWS\System32\alg.exe[2252] SHELL32.dll!ShellExecuteW 7CAB5BF0 6 Bytes JMP 5F280F5A ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 89BA22D8 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F750FDDC] spgv.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F750FE30] spgv.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74E5042] spgv.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74E513E] spgv.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74E50C0] spgv.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74E5800] spgv.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74E56D6] spgv.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 897F62D8 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74F4B90] spgv.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 89B9F1F8 AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools) AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools) Device \Driver\usbuhci \Device\USBPDO-0 897F51F8 Device \Driver\usbuhci \Device\USBPDO-1 897F51F8 Device \Driver\usbuhci \Device\USBPDO-2 897F51F8 Device \Driver\usbuhci \Device\USBPDO-3 897F51F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{9BA4ADB6-765A-48B9-B331-8FABD1632B08} 896A0500 Device \Driver\usbehci \Device\USBPDO-4 897C61F8 AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools) Device \Driver\Ftdisk \Device\HarddiskVolume1 89C111F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 89C111F8 Device \Driver\Cdrom \Device\CdRom0 897B6500 Device \Driver\atapi \Device\Ide\IdePort0 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-e [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 89C111F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 896A0500 Device \Driver\NetBT \Device\NetbiosSmb 896A0500 AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools) AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools) Device \Driver\usbuhci \Device\USBFDO-0 897F51F8 Device \Driver\usbuhci \Device\USBFDO-1 897F51F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8960B500 Device \Driver\usbuhci \Device\USBFDO-2 897F51F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8960B500 Device \Driver\usbuhci \Device\USBFDO-3 897F51F8 Device \Driver\usbehci \Device\USBFDO-4 897C61F8 Device \Driver\Ftdisk \Device\FtControl 89C111F8 Device \FileSystem\Cdfs \Cdfs 894B51F8 ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\System32\alg.exe? (*** hidden *** ) [MANUAL] ALG <-- ROOTKIT !!! Service C:\WINDOWS\system32\cisvc.exe? (*** hidden *** ) [MANUAL] CiSvc <-- ROOTKIT !!! Service C:\WINDOWS\system32\clipsrv.exe? (*** hidden *** ) [MANUAL] ClipSrv <-- ROOTKIT !!! Service C:\WINDOWS\system32\imapi.exe? (*** hidden *** ) [MANUAL] ImapiService <-- ROOTKIT !!! Service C:\WINDOWS\system32\lsass.exe? (*** hidden *** ) [AUTO] PolicyAgent <-- ROOTKIT !!! Service C:\WINDOWS\system32\lsass.exe? (*** hidden *** ) [AUTO] ProtectedStorage <-- ROOTKIT !!! Service C:\WINDOWS\system32\spoolsv.exe? (*** hidden *** ) [AUTO] Spooler <-- ROOTKIT !!! Service C:\WINDOWS\System32\ups.exe? (*** hidden *** ) [MANUAL] UPS <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9E 0xE0 0x48 0x11 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBB 0xF2 0x0B 0x55 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x63 0xDB 0xA9 0x06 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x70 0x79 0x87 0x08 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7A1D9B49-0643-2B1C-7AFA-4F401BE447E8} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7A1D9B49-0643-2B1C-7AFA-4F401BE447E8}@jaecalcpgnlgleeijpkl 0x62 0x61 0x61 0x65 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7A1D9B49-0643-2B1C-7AFA-4F401BE447E8}@jaecalcpgnlgleeijpgk 0x62 0x61 0x6E 0x66 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7A1D9B49-0643-2B1C-7AFA-4F401BE447E8}@iaebenhgkfdkpbblbi 0x6B 0x61 0x66 0x65 ... ---- EOF - GMER 1.0.15 ----