Services.exe Problem

Zaczne od tego ze moim zdaniem problem to typowe objawy Sasser początkowo (3 tyg temu) gromadzenie duzych ilosci Małych pliczkow po kilka kb w tempie pozniej sporadyczne błedy Services.exe nastepnie Pojawia sie Ikonka Avasta i jego skanera poczty o.O co sie okazało kom probował wysyłac masowe wiadomosci emile czyli pospolicie zwany spam LOL Avast okazał sie nie skuteczny problemy wystepowały dalej zwalczyło sie jedynie groamdzenie plikow w Tempie wiec postanowiłem zainstalowac Nortona 2006 co mogło okazac sie moim błedem bo Norton rowniez nie dał sobie rady jego skaner poczty tez zeswirował i skanował wysyłane emile a bład services.exe wystepował dalej obecnie na dysku Panda ale z tego co widze rownie nie skuteczna tyle ze ona nie wysweietla komunikatow o spamie 8) Bład services.exe i restart co 60 sec po kazdym podłaczeniu do Internetu. Off Line Nie ma tego problemu.. ponizej Log z HijackThis usuniete zostało to co wydało sie podejrzane i to co mogłem (aa dodaje jeszcze ze szczepionki nie pomogły i nic nie znalazły :/), reszta do waszej oceny z gory dziekuje za pomoc i za wszelkie wskazówki ;) pozdrawiam Logfile of HijackThis v1.99.1 Scan saved at 03:02:09, on 2007-07-23 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe C:\Program Files\Panda Software\Panda Internet Security 2007\apvxdwin.exe C:\WINDOWS\explorer.exe c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\PowerS.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe C:\Program Files\Panda Software\Panda Internet Security 2007\psimsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE c:\program files\panda software\panda internet security 2007\WebProxy.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\Dzifii\Pulpit\HijackThis.exe C:\WINDOWS\system32\dwwin.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL (file missing) F2 - REG:system.ini: Shell=explorer.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe O4 - HKLM\..\Run: [Corel Graphics Suite 1117] C:\Program Files\Corel\Corel Graphics 11\Register\registration.exe /title="Corel Graphics Suite 11" /date=120706 serial=DR11CTD-9999999-KHM O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{FDB01BCA-02CE-4ABD-B9FC-DD53AEB2C348}: NameServer = 194.204.152.34 217.98.63.164 O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Harmonogram automatycznej usługi LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing) O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\psimsvc.exe O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\TPSrv.exe

Odpowiedzi: 1

Tu niewiele już widać. Lecimy z innymi logami - Silent runners + Combofix + Gmer. Została Ci resztka po Nortonie - LiveUpdate. W przypadku gdyby system chciał sie restartować i odliczanie 60 sekundowe by leciało to w start -> uruchom wpisz shutdown -a (to zatrzyma restart)
Żółty
Dodano
23.07.2007 14:16:12
  • amiigo 23.07.2007 14:21:03

    [quote=Żółty] W przypadku gdyby system chciał sie restartować i odliczanie 60 sekundowe by leciało to w start -> uruchom wpisz shutdown -a (to zatrzyma restart)[/quote] ta...... komenda była skutczna ale w tamtym tygodniu ;) juz przestał reagowac na komende :/ zaraz dodam logi z reszty ;] Edit: No to pora na Logi ... [b] Silent runners [/b] nie dałem rady uruchomic :/ pogrzebałem w typach plikow zeby to otwierało nie pomogło pande wyłaczyłem zeby nie blokowała nie pomogło program symanteca > noscript.exe tez nie zadziałał :/ ostatecznie wpis w rejestr tez nie zadziałał :/ [b]Combofix[/b] Cos takiego powyskakiwało no ale skan sie udał [URL=http://imageshack.us][IMG]http://img516.imageshack.us/img516/5180/combofixgo0.jpg[/IMG][/URL] "Dzifii" - 2007-07-23 13:06:03 - ComboFix 07-07-23.6 - Dodatek Service Pack 2 NTFS [color=red][b] Rootkit driver pe386 is present. ... attempting disinfection [/b][/color] [color=blue] pe386 ...... driver unloaded successfully.[/color] [i] ADS removed - system32: deleted 54654 bytes in 1 streams. [/i] ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\exefld C:\WINDOWS\system32\_000009_.tmp.dll ((((((((((((((((((((((((( Files Created from 2007-06-23 to 2007-07-23 ))))))))))))))))))))))))))))))) 2007-07-19 11:41 0 --a------ C:\WINDOWS\system32\drivers\wnmsav.dat 2007-07-19 11:36 9,216 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys 2007-07-19 11:36 71,552 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys 2007-07-19 11:36 44,544 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS 2007-07-19 11:36 36,864 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys 2007-07-19 11:36 23,296 --a------ C:\WINDOWS\system32\drivers\smsflt.sys 2007-07-19 11:36 185,472 --a------ C:\WINDOWS\system32\drivers\idsflt.sys 2007-07-19 11:36 164,320 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT 2007-07-19 11:36 16,256 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys 2007-07-19 11:36 141,312 --a------ C:\WINDOWS\system32\drivers\netflt.sys 2007-07-19 11:36 103,936 --a------ C:\WINDOWS\system32\drivers\netfltdi.sys 2007-07-19 11:35 9,488 --a------ C:\WINDOWS\system32\sporder.dll 2007-07-19 11:35 57,344 --a------ C:\WINDOWS\system32\pavipc.dll 2007-07-19 11:35 45,056 --a------ C:\WINDOWS\system32\avldr.dll 2007-07-19 11:35 245,760 --a------ C:\WINDOWS\system32\PavSHook.dll 2007-07-19 11:35 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll 2007-07-19 11:35 16,640 --a------ C:\WINDOWS\system32\drivers\cpoint.sys 2007-07-19 11:35 139,264 --a------ C:\WINDOWS\system32\TpUtil.dll 2007-07-19 11:35 101,888 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL 2007-07-19 11:35 <DIR> d-------- C:\WINDOWS\system32\PAV 2007-07-19 11:34 26,752 --a------ C:\WINDOWS\system32\drivers\ShldDrv.sys 2007-07-19 11:34 165,120 --a------ C:\WINDOWS\system32\drivers\PavProc.sys 2007-07-19 11:34 <DIR> d-------- C:\Program Files\Panda Software 2007-07-19 11:32 <DIR> d-------- C:\Program Files\Common Files\Panda Software 2007-07-19 02:54 <DIR> d-------- C:\Program Files\Symantec 2007-07-18 16:16 <DIR> d-------- C:\Program Files\IrfanView 2007-07-11 17:50 <DIR> d-------- C:\Program Files\DC++ 2007-07-06 21:58 <DIR> d-------- C:\DOCUME~1\Dzifii\DANEAP~1\teamspeak2 2007-07-06 21:57 <DIR> d-------- C:\Program Files\Teamspeak2_RC2 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-23 11:07:40 1,132 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG 2007-07-23 00:43:21 -------- d-----w C:\Program Files\cFosSpeed 2007-07-22 21:08:49 -------- d-----w C:\DOCUME~1\Dzifii\DANEAP~1\Skype 2007-07-20 15:47:59 -------- d-----w C:\Program Files\Tlen.pl 2007-07-19 12:14:46 -------- d-----w C:\Program Files\Winamp 2007-07-19 12:14:30 -------- d-----w C:\Program Files\TrojanHunter 4.6 2007-07-19 12:14:15 -------- d-----w C:\Program Files\TC PowerPack 2007-07-19 12:11:38 -------- d-----w C:\Program Files\MSN Messenger 2007-07-19 12:11:18 -------- d-----w C:\Program Files\Messenger 2007-07-19 09:56:28 50,336 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-07-19 09:56:28 358,390 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-07-19 09:35:25 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-07-19 09:30:11 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-07-19 00:48:16 -------- d-----w C:\Program Files\ICQToolbar 2007-07-18 18:38:18 44,872 ----a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT 2007-07-18 14:06:12 -------- d-----w C:\DOCUME~1\Dzifii\DANEAP~1\Canon 2007-07-17 21:11:01 -------- d-----w C:\Program Files\Neostrada TP 2007-07-13 10:49:14 3,545 ----a-w C:\WINDOWS\mozver.dat 2007-07-12 01:37:21 -------- d-----w C:\Program Files\Damian Pasternak 2007-07-06 17:08:40 -------- d-----w C:\DOCUME~1\Dzifii\DANEAP~1\ICQ Toolbar 2007-07-05 12:33:58 -------- d-----w C:\Program Files\ICQ6 2007-07-02 09:14:28 -------- d-----w C:\Program Files\Image-Line 2007-06-09 21:06:01 -------- d-----w C:\Program Files\ADSL USB Router 2007-06-09 20:51:39 -------- d-----w C:\Program Files\ADSL Utility 2007-06-09 20:43:37 -------- d-----w C:\Program Files\Common Files\SWF Studio 2007-06-09 20:31:03 23 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg 2007-06-09 20:30:46 -------- d-----w C:\Program Files\SAGEM 2007-06-09 12:17:45 -------- d-----w C:\DOCUME~1\Dzifii\DANEAP~1\ICQ 2007-05-26 08:27:59 -------- d-----w C:\Program Files\Toribash-2.5 2007-05-26 08:27:23 -------- d-----w C:\Program Files\Kyodai Mahjongg 2006 2007-05-16 15:18:58 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-05-12 13:17:25 155,600 ----a-w C:\WINDOWS\SST Uninstaller.exe 2007-04-25 14:23:30 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2004-05-01 20:11:38 54,272 --sh--w C:\WINDOWS\old_mod_lib.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2005-11-11 15:07 C:\WINDOWS\soundman.exe] "Corel Graphics Suite 1117"="C:\Program Files\Corel\Corel Graphics 11\Register\registration.exe" [] "APVXDWIN"="C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.exe" [2006-10-11 12:09] "SCANINICIO"="C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe" [2006-02-01 18:13] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "NoDispAppearancePage"=0 (0x0) "NoColorChoice"=0 (0x0) "NoSizeChoice"=0 (0x0) "NoDispBackgroundPage"=0 (0x0) "NoDispScrSavPage"=0 (0x0) "NoDispCPL"=0 (0x0) "NoVisualStyleChoice"=0 (0x0) "NoDispSettingsPage"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktopChanges"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSaveSettings"=0 (0x0) "NoThemesTab"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Shell"="explorer.exe " "System"="csoyz.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr] avldr.dll 2005-09-27 12:13 45056 C:\WINDOWS\system32\avldr.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^expressivo.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\expressivo.lnk backup=C:\WINDOWS\pss\expressivo.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dzifii^Menu Start^Programy^Autostart^Adobe Gamma.lnk] path=C:\Documents and Settings\Dzifii\Menu Start\Programy\Autostart\Adobe Gamma.lnk backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dzifii^Menu Start^Programy^Autostart^HDDlife.lnk] path=C:\Documents and Settings\Dzifii\Menu Start\Programy\Autostart\HDDlife.lnk backup=C:\WINDOWS\pss\HDDlife.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Dzifii^Menu Start^Programy^Autostart^OpenOffice.org 2.0.lnk] path=C:\Documents and Settings\Dzifii\Menu Start\Programy\Autostart\OpenOffice.org 2.0.lnk backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA] atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cFosSpeed] "C:\Program Files\cFosSpeed\cFosSpeed.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanRegPath] C:\PROGRA~1\ADSLUT~1\CleanReg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hldrrr] C:\WINDOWS\system32\hldrrr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InternetCalls] "C:\Program Files\InternetCalls.com\InternetCalls\InternetCalls.exe" -nosplash -minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Komunikator] C:\Program Files\Tlen.pl\tlen.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrafMonitor] C:\Program Files\TrafMeter\trafmonitor.exe /logon [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TweakRAM] "C:\Program Files\TweakRAM\TweakRAM.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winconf] C:\WINDOWS\TEMP\DF2DEE87.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WebrootSpySweeperService"=2 (0x2) "ose"=3 (0x3) "svcWRSSSDK"=2 (0x2) "cFosSpeedS"=2 (0x2) R0 netflt;Panda Net Driver [NDIS Layer];C:\WINDOWS\system32\drivers\netflt.sys R0 speedfan;speedfan;C:\WINDOWS\system32\speedfan.sys R0 SSFS041A;SSFS041A;C:\WINDOWS\system32\Drivers\SSFS041A.SYS R1 APPFLT;App Filter Plugin;\??\C:\WINDOWS\system32\Drivers\APPFLT.SYS R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys R1 atitray;atitray;\??\C:\Program Files\Radeon Omega Drivers\v3.8.221\ATI Tray Tools\atitray.sys R1 DSAFLT;DSA Filter Plugin;\??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS R1 FNETMON;NetMon Filter Plugin;\??\C:\WINDOWS\system32\Drivers\fnetmon.SYS R1 IDSFLT;Ids Filter Plugin;\??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS R1 MemAlloc;MemAlloc;C:\WINDOWS\system32\DRIVERS\memalloc.sys R1 NETFLTDI;Panda Net Driver [TDI Layer];\??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS R1 sdpiosys;sdpiosys;C:\WINDOWS\system32\drivers\sdpiosys.sys R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\drivers\ShldDrv.sys R1 SMSFLT;SMS Filter Plugin;\??\C:\WINDOWS\system32\Drivers\SMSFLT.SYS R1 WNMFLT;Wifi Monitor Filter Plugin;\??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\drivers\cpoint.sys R2 PAVDRV;pavdrv;C:\WINDOWS\system32\DRIVERS\pavdrv51.sys R2 PavProc;Panda Process Protection Driver;\??\C:\WINDOWS\system32\DRIVERS\PavProc.sys R2 XPROTECTOR;XPROTECTOR;\??\C:\WINDOWS\system32\drivers\XPROTECTOR.SYS R3 actser;actser;C:\WINDOWS\system32\drivers\actser.sys R3 adiusbaw;USB ADSL WAN Adapter;C:\WINDOWS\system32\DRIVERS\adiusbaw.sys R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys R3 cFosSpeed;cFosSpeed Miniport;C:\WINDOWS\system32\DRIVERS\cfosspeed.sys R3 ComFiltr;Panda Anti-Dialer;\??\C:\WINDOWS\system32\DRIVERS\COMFiltr.sys R3 irsir;Sterownik portu szeregowego podczerwieni Microsoft;C:\WINDOWS\system32\DRIVERS\irsir.sys R3 ms_mpu401;Sterownik portu MIDI UART Microsoft MPU-401;C:\WINDOWS\system32\drivers\msmpu401.sys R3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys R3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\system32\PavTPK.sys R3 rtl8029;Sterownik NT karty Realtek RTL8029(AS)-based PCI Ethernet;C:\WINDOWS\system32\DRIVERS\RTL8029.SYS R3 SSKBFD;SSKBFD;C:\WINDOWS\system32\Drivers\sskbfd.sys R3 vsbus;Virtual Serial Bus Enumerator;C:\WINDOWS\system32\DRIVERS\vsb.sys S1 LStone;Pinnacle Systems Studio AV/DV Overlay;C:\WINDOWS\system32\DRIVERS\lstone2k.sys S2 ADILOADER;General Purpose USB Driver (adildr.sys);C:\WINDOWS\system32\Drivers\adildr.sys S2 BT878;BtCap, WDM Video Capture;C:\WINDOWS\system32\drivers\BT878.SYS S2 BTTUNER;BtTuner, WDM TV Tuner;C:\WINDOWS\system32\drivers\BTTUNER.SYS S2 BTXBAR;BtXBar, WDM Crossbar;C:\WINDOWS\system32\drivers\BTXBAR.SYS S3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN);C:\WINDOWS\system32\DRIVERS\alcan5wn.sys S3 alcaudsl;SpeedTouch ADSL Modem ATM Transport;C:\WINDOWS\system32\DRIVERS\alcaudsl.sys S3 ASPI;Advanced SCSI Programming Interface Driver;\??\C:\WINDOWS\System32\DRIVERS\ASPI32.sys S3 ASUSHWIO;ASUSHWIO;\??\C:\WINDOWS\system32\drivers\ASUSHWIO.sys S3 BTRemote BT8x8;BTRemote BT8x8;\??\D:\BtRemote\WINDRVR.SYS S3 CnxTrUsb;Conexant USB Network Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxTrUsb.sys S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys S3 nuvaud2;Pinnacle DVC 80 Audio;C:\WINDOWS\system32\DRIVERS\nuvaud2.sys S3 NUVision;Pinnacle DVC 80 Video;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys S3 nvax;Service for NVIDIA(R) nForce(TM) Audio Enumerator;C:\WINDOWS\system32\drivers\nvax.sys S3 NVENET;NVIDIA nForce Networking Controller Driver;C:\WINDOWS\system32\DRIVERS\NVENET.sys S3 nvnforce;Service for NVIDIA(R) nForce(TM) Audio;C:\WINDOWS\system32\drivers\nvapu.sys S3 ProcObsrv;Process creation detector.;\??\C:\Program Files\Tygrysek\ProcObsrv.sys S3 vserial;ELTIMA Virtual Serial Ports Driver;C:\WINDOWS\system32\DRIVERS\vserial.sys S4 cFosSpeedS;cFosSpeed System Service;"C:\Program Files\cFosSpeed\spd.exe" -service ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-23 13:12:02 Windows 5.1.2600 Dodatek Service Pack 2 NTFS detected NTDLL code modification: ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile scanning hidden processes ... scanning hidden registry entries ... [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] "Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,.. scanning hidden files ... ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\hamachi] "ImagePath"="system32\DRIVERS\hamachi.sys" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\H a r m o n o g r a m a u t o m a t y c z n e j u s Bu g i L i v e U p d a t e ] "ImagePath"="\"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe\"" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\helpsvc] "ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HidServ] "ServiceDll"="%SystemRoot%\System32\hidserv.dll" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HidUsb] "ImagePath"="system32\DRIVERS\hidusb.sys" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\hpn] [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HTTP] "ImagePath"="System32\Drivers\HTTP.sys" [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HTTPFilter] "ServiceDll"="%SystemRoot%\System32\w3ssl.dll" Completion time: 2007-07-23 13:14:05 C:\ComboFix-quarantined-files.txt ... 2007-07-23 13:13 --- E O F --- [b]Gmer[/b] GMER 1.0.13.12551 - http://www.gmer.net Rootkit scan 2007-07-23 14:31:54 Windows 5.1.2600 Dodatek Service Pack 2 ---- System - GMER 1.0.13 ---- SSDT d347bus.sys ZwClose SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS ZwCreateKey SSDT d347bus.sys ZwCreatePagingFile SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS ZwDeleteKey SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS ZwDeleteValueKey SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS ZwEnumerateKey SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS ZwEnumerateValueKey SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS ZwOpenKey SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS ZwQueryKey SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS ZwQueryValueKey SSDT d347bus.sys ZwSetSystemPowerState SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS ZwSetValueKey SSDT \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys ZwTerminateProcess SSDT \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys ZwTerminateThread SSDT \??\C:\WINDOWS\system32\PavSRK.sys ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.13 ---- ? ComboFix.sys Nie można odnaleźć określonego pliku. ? C:\WINDOWS\system32\PavSRK.sys Nie można odnaleźć określonego pliku. ? C:\WINDOWS\system32\PavTPK.sys Nie można odnaleźć określonego pliku. ? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Nie można odnaleźć określonego pliku. ? system32\drivers\av5flt.sys Nie można odnaleźć określonego pliku. ? C:\WINDOWS\system32\DRIVERS\COMFiltr.sys Nie można odnaleźć określonego pliku. ? C:\DOCUME~1\Dzifii\USTAWI~1\Temp\catchme.sys Nie można odnaleźć określonego pliku. ---- User code sections - GMER 1.0.13 ---- .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 4A, 5F ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 6B, 5F ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 4D, 5F ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtDeleteFile 7C90D88F 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtDeleteFile + 4 7C90D893 2 Bytes [ 6E, 5F ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 50, 5F ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 53, 5F ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtDuplicateObject 7C90D90D 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtDuplicateObject + 4 7C90D911 2 Bytes [ 56, 5F ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtEnumerateKey 7C90D94C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtEnumerateKey + 4 7C90D950 2 Bytes [ 59, 5F ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtEnumerateValueKey 7C90D976 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtEnumerateValueKey + 4 7C90D97A 2 Bytes [ 5C, 5F ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtOpenFile 7C90DCFD 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtOpenFile + 4 7C90DD01 2 Bytes [ 71, 5F ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtQueryMultipleValueKey 7C90E0AE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtQueryMultipleValueKey + 4 7C90E0B2 2 Bytes [ 5F, 5F ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtQueryValueKey 7C90E1FE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtQueryValueKey + 4 7C90E202 2 Bytes [ 62, 5F ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtReadFile 7C90E27C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtReadFile + 4 7C90E280 2 Bytes [ 74, 5F ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 77, 5F ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 65, 5F ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtUnloadKey 7C90E90C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtUnloadKey + 4 7C90E910 2 Bytes [ 68, 5F ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 7A, 5F ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 47, 5F ] .text C:\WINDOWS\explorer.exe[388] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\WINDOWS\explorer.exe[388] kernel32.dll!CreateFileMappingW 7C80938E 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\explorer.exe[388] kernel32.dll!MapViewOfFileEx 7C80B896 6 Bytes JMP 5F340F5A .text C:\WINDOWS\explorer.exe[388] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 3E, 5F ] .text C:\WINDOWS\explorer.exe[388] kernel32.dll!CreateProcessInternalW 7C819513 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] kernel32.dll!CreateProcessInternalW + 4 7C819517 2 Bytes [ 44, 5F ] .text C:\WINDOWS\explorer.exe[388] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [ 41, 5F ] .text C:\WINDOWS\explorer.exe[388] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\WINDOWS\explorer.exe[388] ADVAPI32.dll!CloseServiceHandle 77DD5E4D 6 Bytes JMP 5F100F5A .text C:\WINDOWS\explorer.exe[388] ADVAPI32.dll!OpenServiceW 77DD6165 6 Bytes JMP 5F220F5A .text C:\WINDOWS\explorer.exe[388] ADVAPI32.dll!ControlService 77DDB635 6 Bytes JMP 5F130F5A .text C:\WINDOWS\explorer.exe[388] ADVAPI32.dll!OpenServiceA 77DDB88C 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\explorer.exe[388] ADVAPI32.dll!StartServiceW 77DDBBAC 6 Bytes JMP 5F280F5A .text C:\WINDOWS\explorer.exe[388] ADVAPI32.dll!StartServiceA 77DE3238 6 Bytes JMP 5F250F5A .text C:\WINDOWS\explorer.exe[388] ADVAPI32.dll!LsaAddAccountRights 77E0A9A1 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\explorer.exe[388] ADVAPI32.dll!LsaRemoveAccountRights 77E0AA41 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\explorer.exe[388] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 6 Bytes JMP 5F040F5A .text C:\WINDOWS\explorer.exe[388] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 6 Bytes JMP 5F070F5A .text C:\WINDOWS\explorer.exe[388] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\explorer.exe[388] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\explorer.exe[388] ADVAPI32.dll!CreateServiceA 77E27071 6 Bytes JMP 5F160F5A .text C:\WINDOWS\explorer.exe[388] ADVAPI32.dll!CreateServiceW 77E27209 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] ADVAPI32.dll!CreateServiceW + 4 77E2720D 2 Bytes [ 1A, 5F ] .text C:\WINDOWS\explorer.exe[388] ADVAPI32.dll!DeleteService 77E27311 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\explorer.exe[388] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\explorer.exe[388] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F910F5A .text C:\WINDOWS\explorer.exe[388] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\explorer.exe[388] USER32.dll!GetKeyState 7E36C505 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\explorer.exe[388] USER32.dll!BeginDeferWindowPos 7E36D907 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\explorer.exe[388] USER32.dll!GetKeyboardState 7E36EF29 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] USER32.dll!GetKeyboardState + 4 7E36EF2D 2 Bytes [ 9B, 5F ] .text C:\WINDOWS\explorer.exe[388] USER32.dll!GetAsyncKeyState 7E36F3B3 6 Bytes JMP 5F940F5A .text C:\WINDOWS\explorer.exe[388] USER32.dll!CreateAcceleratorTableW 7E37D3C1 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] USER32.dll!CreateAcceleratorTableW + 4 7E37D3C5 2 Bytes [ A1, 5F ] .text C:\WINDOWS\explorer.exe[388] USER32.dll!SetWindowsHookExW 7E37DDB5 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\explorer.exe[388] USER32.dll!SetWindowsHookExA 7E3811D1 6 Bytes JMP 5F880F5A .text C:\WINDOWS\explorer.exe[388] USER32.dll!AttachThreadInput 7E381E12 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\explorer.exe[388] USER32.dll!AttachThreadInput + 4 7E381E16 2 Bytes [ 98, 5F ] .text C:\WINDOWS\explorer.exe[388] ole32.dll!CoCreateInstanceEx 774EFA6B 6 Bytes JMP 5F850F5A .text C:\WINDOWS\explorer.exe[388] ole32.dll!CoGetClassObject 77505DB2 6 Bytes JMP 5F820F5A .text C:\WINDOWS\explorer.exe[388] ole32.dll!CLSIDFromProgID 775142CC 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\explorer.exe[388] ole32.dll!CLSIDFromProgIDEx 775461FE 6 Bytes JMP 5F7C0F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 4C, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 6D, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 4F, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtDeleteFile 7C90D88F 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtDeleteFile + 4 7C90D893 2 Bytes [ 70, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 52, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 55, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtDuplicateObject 7C90D90D 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtDuplicateObject + 4 7C90D911 2 Bytes [ 58, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtEnumerateKey 7C90D94C 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtEnumerateKey + 4 7C90D950 2 Bytes [ 5B, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtEnumerateValueKey 7C90D976 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtEnumerateValueKey + 4 7C90D97A 2 Bytes [ 5E, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtOpenFile 7C90DCFD 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtOpenFile + 4 7C90DD01 2 Bytes [ 73, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtQueryMultipleValueKey 7C90E0AE 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtQueryMultipleValueKey + 4 7C90E0B2 2 Bytes [ 61, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtQueryValueKey 7C90E1FE 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtQueryValueKey + 4 7C90E202 2 Bytes [ 64, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtReadFile 7C90E27C 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtReadFile + 4 7C90E280 2 Bytes [ 76, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 79, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 67, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtUnloadKey 7C90E90C 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtUnloadKey + 4 7C90E910 2 Bytes [ 6A, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 7C, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 49, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F330F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] kernel32.dll!CreateFileMappingW 7C80938E 6 Bytes JMP 5F3C0F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] kernel32.dll!MapViewOfFileEx 7C80B896 6 Bytes JMP 5F360F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 40, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] kernel32.dll!CreateProcessInternalW 7C819513 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] kernel32.dll!CreateProcessInternalW + 4 7C819517 2 Bytes [ 46, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [ 43, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F390F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FA80F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F930F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F900F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] USER32.dll!GetKeyState 7E36C505 6 Bytes JMP 5F9F0F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] USER32.dll!BeginDeferWindowPos 7E36D907 6 Bytes JMP 5F8D0F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] USER32.dll!GetKeyboardState 7E36EF29 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] USER32.dll!GetKeyboardState + 4 7E36EF2D 2 Bytes [ 9D, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] USER32.dll!GetAsyncKeyState 7E36F3B3 6 Bytes JMP 5F960F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] USER32.dll!CreateAcceleratorTableW 7E37D3C1 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] USER32.dll!CreateAcceleratorTableW + 4 7E37D3C5 2 Bytes [ A3, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] USER32.dll!SetWindowsHookExW 7E37DDB5 6 Bytes JMP 5FA50F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] USER32.dll!SetWindowsHookExA 7E3811D1 6 Bytes JMP 5F8A0F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] USER32.dll!AttachThreadInput 7E381E12 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] USER32.dll!AttachThreadInput + 4 7E381E16 2 Bytes [ 9A, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ADVAPI32.dll!CloseServiceHandle 77DD5E4D 6 Bytes JMP 5F100F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ADVAPI32.dll!OpenServiceW 77DD6165 6 Bytes JMP 5F220F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ADVAPI32.dll!ControlService 77DDB635 6 Bytes JMP 5F130F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ADVAPI32.dll!OpenServiceA 77DDB88C 6 Bytes JMP 5F1F0F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ADVAPI32.dll!StartServiceW 77DDBBAC 6 Bytes JMP 5F2A0F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ADVAPI32.dll!StartServiceA 77DE3238 6 Bytes JMP 5F250F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ADVAPI32.dll!LsaAddAccountRights 77E0A9A1 6 Bytes JMP 5F2D0F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ADVAPI32.dll!LsaRemoveAccountRights 77E0AA41 6 Bytes JMP 5F300F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 6 Bytes JMP 5F040F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 6 Bytes JMP 5F070F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 6 Bytes JMP 5F0A0F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 6 Bytes JMP 5F0D0F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ADVAPI32.dll!CreateServiceA 77E27071 6 Bytes JMP 5F160F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ADVAPI32.dll!CreateServiceW 77E27209 3 Bytes [ FF, 25, 1E ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ADVAPI32.dll!CreateServiceW + 4 77E2720D 2 Bytes [ 1A, 5F ] .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ADVAPI32.dll!DeleteService 77E27311 6 Bytes JMP 5F1C0F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ole32.dll!CoCreateInstanceEx 774EFA6B 6 Bytes JMP 5F870F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ole32.dll!CoGetClassObject 77505DB2 6 Bytes JMP 5F840F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ole32.dll!CLSIDFromProgID 775142CC 6 Bytes JMP 5F810F5A .text C:\DOCUME~1\Dzifii\USTAWI~1\Temp\Rar$EX00.156\gmer.exe[584] ole32.dll!CLSIDFromProgIDEx 775461FE 6 Bytes JMP 5F7E0F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 4A, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 6B, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 4D, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtDeleteFile 7C90D88F 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtDeleteFile + 4 7C90D893 2 Bytes [ 6E, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 50, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 53, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtDuplicateObject 7C90D90D 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtDuplicateObject + 4 7C90D911 2 Bytes [ 56, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtEnumerateKey 7C90D94C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtEnumerateKey + 4 7C90D950 2 Bytes [ 59, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtEnumerateValueKey 7C90D976 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtEnumerateValueKey + 4 7C90D97A 2 Bytes [ 5C, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtOpenFile 7C90DCFD 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtOpenFile + 4 7C90DD01 2 Bytes [ 71, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtQueryMultipleValueKey 7C90E0AE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtQueryMultipleValueKey + 4 7C90E0B2 2 Bytes [ 5F, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtQueryValueKey 7C90E1FE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtQueryValueKey + 4 7C90E202 2 Bytes [ 62, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtReadFile 7C90E27C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtReadFile + 4 7C90E280 2 Bytes [ 74, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 77, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 65, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtUnloadKey 7C90E90C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtUnloadKey + 4 7C90E910 2 Bytes [ 68, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 7A, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 47, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] kernel32.dll!CreateFileMappingW 7C80938E 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] kernel32.dll!MapViewOfFileEx 7C80B896 6 Bytes JMP 5F340F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 3E, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] kernel32.dll!CreateProcessInternalW 7C819513 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] kernel32.dll!CreateProcessInternalW + 4 7C819517 2 Bytes [ 44, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [ 41, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F910F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] USER32.dll!GetKeyState 7E36C505 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] USER32.dll!BeginDeferWindowPos 7E36D907 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] USER32.dll!GetKeyboardState 7E36EF29 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] USER32.dll!GetKeyboardState + 4 7E36EF2D 2 Bytes [ 9B, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] USER32.dll!GetAsyncKeyState 7E36F3B3 6 Bytes JMP 5F940F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] USER32.dll!CreateAcceleratorTableW 7E37D3C1 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] USER32.dll!CreateAcceleratorTableW + 4 7E37D3C5 2 Bytes [ A1, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] USER32.dll!SetWindowsHookExW 7E37DDB5 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] USER32.dll!SetWindowsHookExA 7E3811D1 6 Bytes JMP 5F880F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] USER32.dll!AttachThreadInput 7E381E12 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] USER32.dll!AttachThreadInput + 4 7E381E16 2 Bytes [ 98, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ADVAPI32.dll!CloseServiceHandle 77DD5E4D 6 Bytes JMP 5F100F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ADVAPI32.dll!OpenServiceW 77DD6165 6 Bytes JMP 5F220F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ADVAPI32.dll!ControlService 77DDB635 6 Bytes JMP 5F130F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ADVAPI32.dll!OpenServiceA 77DDB88C 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ADVAPI32.dll!StartServiceW 77DDBBAC 6 Bytes JMP 5F280F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ADVAPI32.dll!StartServiceA 77DE3238 6 Bytes JMP 5F250F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ADVAPI32.dll!LsaAddAccountRights 77E0A9A1 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ADVAPI32.dll!LsaRemoveAccountRights 77E0AA41 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 6 Bytes JMP 5F040F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 6 Bytes JMP 5F070F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ADVAPI32.dll!CreateServiceA 77E27071 6 Bytes JMP 5F160F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ADVAPI32.dll!CreateServiceW 77E27209 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ADVAPI32.dll!CreateServiceW + 4 77E2720D 2 Bytes [ 1A, 5F ] .text C:\WINDOWS\SOUNDMAN.EXE[740] ADVAPI32.dll!DeleteService 77E27311 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ole32.dll!CoCreateInstanceEx 774EFA6B 6 Bytes JMP 5F850F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ole32.dll!CoGetClassObject 77505DB2 6 Bytes JMP 5F820F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ole32.dll!CLSIDFromProgID 775142CC 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\SOUNDMAN.EXE[740] ole32.dll!CLSIDFromProgIDEx 775461FE 6 Bytes JMP 5F7C0F5A .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 4A, 5F ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 6B, 5F ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 4D, 5F ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtDeleteFile 7C90D88F 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtDeleteFile + 4 7C90D893 2 Bytes [ 6E, 5F ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 50, 5F ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 53, 5F ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtDuplicateObject 7C90D90D 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtDuplicateObject + 4 7C90D911 2 Bytes [ 56, 5F ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtEnumerateKey 7C90D94C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtEnumerateKey + 4 7C90D950 2 Bytes [ 59, 5F ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtEnumerateValueKey 7C90D976 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtEnumerateValueKey + 4 7C90D97A 2 Bytes [ 5C, 5F ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtOpenFile 7C90DCFD 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtOpenFile + 4 7C90DD01 2 Bytes [ 71, 5F ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtQueryMultipleValueKey 7C90E0AE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtQueryMultipleValueKey + 4 7C90E0B2 2 Bytes [ 5F, 5F ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtQueryValueKey 7C90E1FE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtQueryValueKey + 4 7C90E202 2 Bytes [ 62, 5F ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtReadFile 7C90E27C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtReadFile + 4 7C90E280 2 Bytes [ 74, 5F ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 77, 5F ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 65, 5F ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtUnloadKey 7C90E90C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtUnloadKey + 4 7C90E910 2 Bytes [ 68, 5F ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 7A, 5F ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 47, 5F ] .text C:\WINDOWS\PowerS.exe[756] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\WINDOWS\PowerS.exe[756] kernel32.dll!CreateFileMappingW 7C80938E 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\PowerS.exe[756] kernel32.dll!MapViewOfFileEx 7C80B896 6 Bytes JMP 5F340F5A .text C:\WINDOWS\PowerS.exe[756] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 3E, 5F ] .text C:\WINDOWS\PowerS.exe[756] kernel32.dll!CreateProcessInternalW 7C819513 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] kernel32.dll!CreateProcessInternalW + 4 7C819517 2 Bytes [ 44, 5F ] .text C:\WINDOWS\PowerS.exe[756] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [ 41, 5F ] .text C:\WINDOWS\PowerS.exe[756] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\WINDOWS\PowerS.exe[756] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\PowerS.exe[756] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F910F5A .text C:\WINDOWS\PowerS.exe[756] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\PowerS.exe[756] USER32.dll!GetKeyState 7E36C505 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\PowerS.exe[756] USER32.dll!BeginDeferWindowPos 7E36D907 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\PowerS.exe[756] USER32.dll!GetKeyboardState 7E36EF29 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] USER32.dll!GetKeyboardState + 4 7E36EF2D 2 Bytes [ 9B, 5F ] .text C:\WINDOWS\PowerS.exe[756] USER32.dll!GetAsyncKeyState 7E36F3B3 6 Bytes JMP 5F940F5A .text C:\WINDOWS\PowerS.exe[756] USER32.dll!CreateAcceleratorTableW 7E37D3C1 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] USER32.dll!CreateAcceleratorTableW + 4 7E37D3C5 2 Bytes [ A1, 5F ] .text C:\WINDOWS\PowerS.exe[756] USER32.dll!SetWindowsHookExW 7E37DDB5 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\PowerS.exe[756] USER32.dll!SetWindowsHookExA 7E3811D1 6 Bytes JMP 5F880F5A .text C:\WINDOWS\PowerS.exe[756] USER32.dll!AttachThreadInput 7E381E12 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] USER32.dll!AttachThreadInput + 4 7E381E16 2 Bytes [ 98, 5F ] .text C:\WINDOWS\PowerS.exe[756] ADVAPI32.dll!CloseServiceHandle 77DD5E4D 6 Bytes JMP 5F100F5A .text C:\WINDOWS\PowerS.exe[756] ADVAPI32.dll!OpenServiceW 77DD6165 6 Bytes JMP 5F220F5A .text C:\WINDOWS\PowerS.exe[756] ADVAPI32.dll!ControlService 77DDB635 6 Bytes JMP 5F130F5A .text C:\WINDOWS\PowerS.exe[756] ADVAPI32.dll!OpenServiceA 77DDB88C 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\PowerS.exe[756] ADVAPI32.dll!StartServiceW 77DDBBAC 6 Bytes JMP 5F280F5A .text C:\WINDOWS\PowerS.exe[756] ADVAPI32.dll!StartServiceA 77DE3238 6 Bytes JMP 5F250F5A .text C:\WINDOWS\PowerS.exe[756] ADVAPI32.dll!LsaAddAccountRights 77E0A9A1 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\PowerS.exe[756] ADVAPI32.dll!LsaRemoveAccountRights 77E0AA41 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\PowerS.exe[756] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 6 Bytes JMP 5F040F5A .text C:\WINDOWS\PowerS.exe[756] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 6 Bytes JMP 5F070F5A .text C:\WINDOWS\PowerS.exe[756] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\PowerS.exe[756] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\PowerS.exe[756] ADVAPI32.dll!CreateServiceA 77E27071 6 Bytes JMP 5F160F5A .text C:\WINDOWS\PowerS.exe[756] ADVAPI32.dll!CreateServiceW 77E27209 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\PowerS.exe[756] ADVAPI32.dll!CreateServiceW + 4 77E2720D 2 Bytes [ 1A, 5F ] .text C:\WINDOWS\PowerS.exe[756] ADVAPI32.dll!DeleteService 77E27311 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\PowerS.exe[756] ole32.dll!CoCreateInstanceEx 774EFA6B 6 Bytes JMP 5F850F5A .text C:\WINDOWS\PowerS.exe[756] ole32.dll!CoGetClassObject 77505DB2 6 Bytes JMP 5F820F5A .text C:\WINDOWS\PowerS.exe[756] ole32.dll!CLSIDFromProgID 775142CC 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\PowerS.exe[756] ole32.dll!CLSIDFromProgIDEx 775461FE 6 Bytes JMP 5F7C0F5A .text C:\WINDOWS\system32\winlogon.exe[952] kernel32.dll!CreateProcessInternalW 7C819513 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\winlogon.exe[952] kernel32.dll!CreateProcessInternalW + 4 7C819517 2 Bytes [ 05, 5F ] .text C:\WINDOWS\system32\services.exe[996] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\services.exe[996] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 08, 5F ] .text C:\WINDOWS\system32\services.exe[996] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\services.exe[996] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 0B, 5F ] .text C:\WINDOWS\system32\services.exe[996] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\services.exe[996] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 0E, 5F ] .text C:\WINDOWS\system32\services.exe[996] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\services.exe[996] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 11, 5F ] .text C:\WINDOWS\system32\services.exe[996] kernel32.dll!CreateProcessInternalW 7C819513 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\services.exe[996] kernel32.dll!CreateProcessInternalW + 4 7C819517 2 Bytes [ 05, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 4A, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 6B, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 4D, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtDeleteFile 7C90D88F 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtDeleteFile + 4 7C90D893 2 Bytes [ 6E, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 50, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 53, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtDuplicateObject 7C90D90D 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtDuplicateObject + 4 7C90D911 2 Bytes [ 56, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtEnumerateKey 7C90D94C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtEnumerateKey + 4 7C90D950 2 Bytes [ 59, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtEnumerateValueKey 7C90D976 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtEnumerateValueKey + 4 7C90D97A 2 Bytes [ 5C, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtOpenFile 7C90DCFD 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtOpenFile + 4 7C90DD01 2 Bytes [ 71, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtQueryMultipleValueKey 7C90E0AE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtQueryMultipleValueKey + 4 7C90E0B2 2 Bytes [ 5F, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtQueryValueKey 7C90E1FE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtQueryValueKey + 4 7C90E202 2 Bytes [ 62, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtReadFile 7C90E27C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtReadFile + 4 7C90E280 2 Bytes [ 74, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 77, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 65, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtUnloadKey 7C90E90C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtUnloadKey + 4 7C90E910 2 Bytes [ 68, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 7A, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 47, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] kernel32.dll!CreateFileMappingW 7C80938E 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] kernel32.dll!MapViewOfFileEx 7C80B896 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 3E, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] kernel32.dll!CreateProcessInternalW 7C819513 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] kernel32.dll!CreateProcessInternalW + 4 7C819517 2 Bytes [ 44, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [ 41, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] USER32.dll!GetKeyState 7E36C505 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] USER32.dll!BeginDeferWindowPos 7E36D907 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] USER32.dll!GetKeyboardState 7E36EF29 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] USER32.dll!GetKeyboardState + 4 7E36EF2D 2 Bytes [ 9B, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] USER32.dll!GetAsyncKeyState 7E36F3B3 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] USER32.dll!CreateAcceleratorTableW 7E37D3C1 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] USER32.dll!CreateAcceleratorTableW + 4 7E37D3C5 2 Bytes [ A1, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] USER32.dll!SetWindowsHookExW 7E37DDB5 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] USER32.dll!SetWindowsHookExA 7E3811D1 6 Bytes JMP 5F880F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] USER32.dll!AttachThreadInput 7E381E12 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] USER32.dll!AttachThreadInput + 4 7E381E16 2 Bytes [ 98, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ole32.dll!CoCreateInstanceEx 774EFA6B 6 Bytes JMP 5F850F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ole32.dll!CoGetClassObject 77505DB2 6 Bytes JMP 5F820F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ole32.dll!CLSIDFromProgID 775142CC 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ole32.dll!CLSIDFromProgIDEx 775461FE 6 Bytes JMP 5F7C0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ADVAPI32.dll!CloseServiceHandle 77DD5E4D 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ADVAPI32.dll!OpenServiceW 77DD6165 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ADVAPI32.dll!ControlService 77DDB635 6 Bytes JMP 5F130F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ADVAPI32.dll!OpenServiceA 77DDB88C 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ADVAPI32.dll!StartServiceW 77DDBBAC 6 Bytes JMP 5F280F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ADVAPI32.dll!StartServiceA 77DE3238 6 Bytes JMP 5F250F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ADVAPI32.dll!LsaAddAccountRights 77E0A9A1 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ADVAPI32.dll!LsaRemoveAccountRights 77E0AA41 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ADVAPI32.dll!CreateServiceA 77E27071 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ADVAPI32.dll!CreateServiceW 77E27209 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ADVAPI32.dll!CreateServiceW + 4 77E2720D 2 Bytes [ 1A, 5F ] .text C:\WINDOWS\system32\Ati2evxx.exe[1184] ADVAPI32.dll!DeleteService 77E27311 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 4A, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 6B, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 4D, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtDeleteFile 7C90D88F 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtDeleteFile + 4 7C90D893 2 Bytes [ 6E, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 50, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 53, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtDuplicateObject 7C90D90D 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtDuplicateObject + 4 7C90D911 2 Bytes [ 56, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtEnumerateKey 7C90D94C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtEnumerateKey + 4 7C90D950 2 Bytes [ 59, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtEnumerateValueKey 7C90D976 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtEnumerateValueKey + 4 7C90D97A 2 Bytes [ 5C, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtOpenFile 7C90DCFD 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtOpenFile + 4 7C90DD01 2 Bytes [ 71, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtQueryMultipleValueKey 7C90E0AE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtQueryMultipleValueKey + 4 7C90E0B2 2 Bytes [ 5F, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtQueryValueKey 7C90E1FE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtQueryValueKey + 4 7C90E202 2 Bytes [ 62, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtReadFile 7C90E27C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtReadFile + 4 7C90E280 2 Bytes [ 74, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 77, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 65, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtUnloadKey 7C90E90C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtUnloadKey + 4 7C90E910 2 Bytes [ 68, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 7A, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 47, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateFileMappingW 7C80938E 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!MapViewOfFileEx 7C80B896 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 3E, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateProcessInternalW 7C819513 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateProcessInternalW + 4 7C819517 2 Bytes [ 44, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [ 41, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!CloseServiceHandle 77DD5E4D 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!OpenServiceW 77DD6165 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!ControlService 77DDB635 6 Bytes JMP 5F130F5A .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!OpenServiceA 77DDB88C 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!StartServiceW 77DDBBAC 6 Bytes JMP 5F280F5A .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!StartServiceA 77DE3238 6 Bytes JMP 5F250F5A .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!LsaAddAccountRights 77E0A9A1 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!LsaRemoveAccountRights 77E0AA41 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!CreateServiceA 77E27071 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!CreateServiceW 77E27209 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!CreateServiceW + 4 77E2720D 2 Bytes [ 1A, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!DeleteService 77E27311 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!GetKeyState 7E36C505 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!BeginDeferWindowPos 7E36D907 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!GetKeyboardState 7E36EF29 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!GetKeyboardState + 4 7E36EF2D 2 Bytes [ 9B, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!GetAsyncKeyState 7E36F3B3 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!CreateAcceleratorTableW 7E37D3C1 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!CreateAcceleratorTableW + 4 7E37D3C5 2 Bytes [ A1, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!SetWindowsHookExW 7E37DDB5 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!SetWindowsHookExA 7E3811D1 6 Bytes JMP 5F880F5A .text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!AttachThreadInput 7E381E12 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!AttachThreadInput + 4 7E381E16 2 Bytes [ 98, 5F ] .text C:\WINDOWS\system32\svchost.exe[1200] ole32.dll!CoCreateInstanceEx 774EFA6B 6 Bytes JMP 5F850F5A .text C:\WINDOWS\system32\svchost.exe[1200] ole32.dll!CoGetClassObject 77505DB2 6 Bytes JMP 5F820F5A .text C:\WINDOWS\system32\svchost.exe[1200] ole32.dll!CLSIDFromProgID 775142CC 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\svchost.exe[1200] ole32.dll!CLSIDFromProgIDEx 775461FE 6 Bytes JMP 5F7C0F5A .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 4A, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 6B, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 4D, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtDeleteFile 7C90D88F 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtDeleteFile + 4 7C90D893 2 Bytes [ 6E, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 50, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 53, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtDuplicateObject 7C90D90D 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtDuplicateObject + 4 7C90D911 2 Bytes [ 56, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtEnumerateKey 7C90D94C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtEnumerateKey + 4 7C90D950 2 Bytes [ 59, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtEnumerateValueKey 7C90D976 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtEnumerateValueKey + 4 7C90D97A 2 Bytes [ 5C, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtOpenFile 7C90DCFD 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtOpenFile + 4 7C90DD01 2 Bytes [ 71, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtQueryMultipleValueKey 7C90E0AE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtQueryMultipleValueKey + 4 7C90E0B2 2 Bytes [ 5F, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtQueryValueKey 7C90E1FE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtQueryValueKey + 4 7C90E202 2 Bytes [ 62, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtReadFile 7C90E27C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtReadFile + 4 7C90E280 2 Bytes [ 74, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 77, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 65, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtUnloadKey 7C90E90C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtUnloadKey + 4 7C90E910 2 Bytes [ 68, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 7A, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 47, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateFileMappingW 7C80938E 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!MapViewOfFileEx 7C80B896 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 3E, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateProcessInternalW 7C819513 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CreateProcessInternalW + 4 7C819517 2 Bytes [ 44, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [ 41, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!CloseServiceHandle 77DD5E4D 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!OpenServiceW 77DD6165 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!ControlService 77DDB635 6 Bytes JMP 5F130F5A .text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!OpenServiceA 77DDB88C 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!StartServiceW 77DDBBAC 6 Bytes JMP 5F280F5A .text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!StartServiceA 77DE3238 6 Bytes JMP 5F250F5A .text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!LsaAddAccountRights 77E0A9A1 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!LsaRemoveAccountRights 77E0AA41 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!CreateServiceA 77E27071 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!CreateServiceW 77E27209 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!CreateServiceW + 4 77E2720D 2 Bytes [ 1A, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ADVAPI32.dll!DeleteService 77E27311 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!GetKeyState 7E36C505 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!BeginDeferWindowPos 7E36D907 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!GetKeyboardState 7E36EF29 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!GetKeyboardState + 4 7E36EF2D 2 Bytes [ 9B, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!GetAsyncKeyState 7E36F3B3 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!CreateAcceleratorTableW 7E37D3C1 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!CreateAcceleratorTableW + 4 7E37D3C5 2 Bytes [ A1, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!SetWindowsHookExW 7E37DDB5 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!SetWindowsHookExA 7E3811D1 6 Bytes JMP 5F880F5A .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!AttachThreadInput 7E381E12 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1260] USER32.dll!AttachThreadInput + 4 7E381E16 2 Bytes [ 98, 5F ] .text C:\WINDOWS\system32\svchost.exe[1260] ole32.dll!CoCreateInstanceEx 774EFA6B 6 Bytes JMP 5F850F5A .text C:\WINDOWS\system32\svchost.exe[1260] ole32.dll!CoGetClassObject 77505DB2 6 Bytes JMP 5F820F5A .text C:\WINDOWS\system32\svchost.exe[1260] ole32.dll!CLSIDFromProgID 775142CC 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\svchost.exe[1260] ole32.dll!CLSIDFromProgIDEx 775461FE 6 Bytes JMP 5F7C0F5A .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 4A, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 6B, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 4D, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtDeleteFile 7C90D88F 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtDeleteFile + 4 7C90D893 2 Bytes [ 6E, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 50, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 53, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtDuplicateObject 7C90D90D 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtDuplicateObject + 4 7C90D911 2 Bytes [ 56, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtEnumerateKey 7C90D94C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtEnumerateKey + 4 7C90D950 2 Bytes [ 59, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtEnumerateValueKey 7C90D976 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtEnumerateValueKey + 4 7C90D97A 2 Bytes [ 5C, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtOpenFile 7C90DCFD 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtOpenFile + 4 7C90DD01 2 Bytes [ 71, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtQueryMultipleValueKey 7C90E0AE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtQueryMultipleValueKey + 4 7C90E0B2 2 Bytes [ 5F, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtQueryValueKey 7C90E1FE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtQueryValueKey + 4 7C90E202 2 Bytes [ 62, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtReadFile 7C90E27C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtReadFile + 4 7C90E280 2 Bytes [ 74, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 77, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 65, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtUnloadKey 7C90E90C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtUnloadKey + 4 7C90E910 2 Bytes [ 68, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 7A, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 47, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateFileMappingW 7C80938E 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!MapViewOfFileEx 7C80B896 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 3E, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateProcessInternalW 7C819513 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateProcessInternalW + 4 7C819517 2 Bytes [ 44, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [ 41, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!CloseServiceHandle 77DD5E4D 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!OpenServiceW 77DD6165 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!ControlService 77DDB635 6 Bytes JMP 5F130F5A .text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!OpenServiceA 77DDB88C 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!StartServiceW 77DDBBAC 6 Bytes JMP 5F280F5A .text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!StartServiceA 77DE3238 6 Bytes JMP 5F250F5A .text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!LsaAddAccountRights 77E0A9A1 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!LsaRemoveAccountRights 77E0AA41 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!CreateServiceA 77E27071 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!CreateServiceW 77E27209 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!CreateServiceW + 4 77E2720D 2 Bytes [ 1A, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!DeleteService 77E27311 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\svchost.exe[1516] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\svchost.exe[1516] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\svchost.exe[1516] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\svchost.exe[1516] USER32.dll!GetKeyState 7E36C505 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\system32\svchost.exe[1516] USER32.dll!BeginDeferWindowPos 7E36D907 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\svchost.exe[1516] USER32.dll!GetKeyboardState 7E36EF29 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] USER32.dll!GetKeyboardState + 4 7E36EF2D 2 Bytes [ 9B, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] USER32.dll!GetAsyncKeyState 7E36F3B3 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\svchost.exe[1516] USER32.dll!CreateAcceleratorTableW 7E37D3C1 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] USER32.dll!CreateAcceleratorTableW + 4 7E37D3C5 2 Bytes [ A1, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] USER32.dll!SetWindowsHookExW 7E37DDB5 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\system32\svchost.exe[1516] USER32.dll!SetWindowsHookExA 7E3811D1 6 Bytes JMP 5F880F5A .text C:\WINDOWS\system32\svchost.exe[1516] USER32.dll!AttachThreadInput 7E381E12 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\svchost.exe[1516] USER32.dll!AttachThreadInput + 4 7E381E16 2 Bytes [ 98, 5F ] .text C:\WINDOWS\system32\svchost.exe[1516] ole32.dll!CoCreateInstanceEx 774EFA6B 6 Bytes JMP 5F850F5A .text C:\WINDOWS\system32\svchost.exe[1516] ole32.dll!CoGetClassObject 77505DB2 6 Bytes JMP 5F820F5A .text C:\WINDOWS\system32\svchost.exe[1516] ole32.dll!CLSIDFromProgID 775142CC 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\svchost.exe[1516] ole32.dll!CLSIDFromProgIDEx 775461FE 6 Bytes JMP 5F7C0F5A .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 4A, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 6B, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 4D, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtDeleteFile 7C90D88F 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtDeleteFile + 4 7C90D893 2 Bytes [ 6E, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 50, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 53, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtDuplicateObject 7C90D90D 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtDuplicateObject + 4 7C90D911 2 Bytes [ 56, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtEnumerateKey 7C90D94C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtEnumerateKey + 4 7C90D950 2 Bytes [ 59, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtEnumerateValueKey 7C90D976 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtEnumerateValueKey + 4 7C90D97A 2 Bytes [ 5C, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtOpenFile 7C90DCFD 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtOpenFile + 4 7C90DD01 2 Bytes [ 71, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtQueryMultipleValueKey 7C90E0AE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtQueryMultipleValueKey + 4 7C90E0B2 2 Bytes [ 5F, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtQueryValueKey 7C90E1FE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtQueryValueKey + 4 7C90E202 2 Bytes [ 62, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtReadFile 7C90E27C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtReadFile + 4 7C90E280 2 Bytes [ 74, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 77, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 65, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtUnloadKey 7C90E90C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtUnloadKey + 4 7C90E910 2 Bytes [ 68, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 7A, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 47, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!CreateFileMappingW 7C80938E 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!MapViewOfFileEx 7C80B896 6 Bytes JMP 5F340F5A .text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 3E, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!CreateProcessInternalW 7C819513 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!CreateProcessInternalW + 4 7C819517 2 Bytes [ 44, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [ 41, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!CloseServiceHandle 77DD5E4D 6 Bytes JMP 5F100F5A .text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!OpenServiceW 77DD6165 6 Bytes JMP 5F220F5A .text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!ControlService 77DDB635 6 Bytes JMP 5F130F5A .text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!OpenServiceA 77DDB88C 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!StartServiceW 77DDBBAC 6 Bytes JMP 5F280F5A .text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!StartServiceA 77DE3238 6 Bytes JMP 5F250F5A .text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!LsaAddAccountRights 77E0A9A1 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!LsaRemoveAccountRights 77E0AA41 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 6 Bytes JMP 5F040F5A .text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 6 Bytes JMP 5F070F5A .text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!CreateServiceA 77E27071 6 Bytes JMP 5F160F5A .text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!CreateServiceW 77E27209 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!CreateServiceW + 4 77E2720D 2 Bytes [ 1A, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!DeleteService 77E27311 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F910F5A .text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!GetKeyState 7E36C505 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!BeginDeferWindowPos 7E36D907 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!GetKeyboardState 7E36EF29 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!GetKeyboardState + 4 7E36EF2D 2 Bytes [ 9B, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!GetAsyncKeyState 7E36F3B3 6 Bytes JMP 5F940F5A .text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!CreateAcceleratorTableW 7E37D3C1 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!CreateAcceleratorTableW + 4 7E37D3C5 2 Bytes [ A1, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!SetWindowsHookExW 7E37DDB5 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!SetWindowsHookExA 7E3811D1 6 Bytes JMP 5F880F5A .text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!AttachThreadInput 7E381E12 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!AttachThreadInput + 4 7E381E16 2 Bytes [ 98, 5F ] .text C:\WINDOWS\System32\svchost.exe[1668] ole32.dll!CoCreateInstanceEx 774EFA6B 6 Bytes JMP 5F850F5A .text C:\WINDOWS\System32\svchost.exe[1668] ole32.dll!CoGetClassObject 77505DB2 6 Bytes JMP 5F820F5A .text C:\WINDOWS\System32\svchost.exe[1668] ole32.dll!CLSIDFromProgID 775142CC 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\System32\svchost.exe[1668] ole32.dll!CLSIDFromProgIDEx 775461FE 6 Bytes JMP 5F7C0F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 4A, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 6B, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 4D, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtDeleteFile 7C90D88F 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtDeleteFile + 4 7C90D893 2 Bytes [ 6E, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 50, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 53, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtDuplicateObject 7C90D90D 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtDuplicateObject + 4 7C90D911 2 Bytes [ 56, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtEnumerateKey 7C90D94C 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtEnumerateKey + 4 7C90D950 2 Bytes [ 59, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtEnumerateValueKey 7C90D976 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtEnumerateValueKey + 4 7C90D97A 2 Bytes [ 5C, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtOpenFile 7C90DCFD 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtOpenFile + 4 7C90DD01 2 Bytes [ 71, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtQueryMultipleValueKey 7C90E0AE 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtQueryMultipleValueKey + 4 7C90E0B2 2 Bytes [ 5F, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtQueryValueKey 7C90E1FE 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtQueryValueKey + 4 7C90E202 2 Bytes [ 62, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtReadFile 7C90E27C 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtReadFile + 4 7C90E280 2 Bytes [ 74, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 77, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 65, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtUnloadKey 7C90E90C 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtUnloadKey + 4 7C90E910 2 Bytes [ 68, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 7A, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 47, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] kernel32.dll!CreateFileMappingW 7C80938E 6 Bytes JMP 5F3A0F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] kernel32.dll!MapViewOfFileEx 7C80B896 6 Bytes JMP 5F340F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 3E, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] kernel32.dll!CreateProcessInternalW 7C819513 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] kernel32.dll!CreateProcessInternalW + 4 7C819517 2 Bytes [ 44, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [ 41, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] ADVAPI32.DLL!CloseServiceHandle 77DD5E4D 6 Bytes JMP 5F100F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] ADVAPI32.DLL!OpenServiceW 77DD6165 6 Bytes JMP 5F220F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] ADVAPI32.DLL!ControlService 77DDB635 6 Bytes JMP 5F130F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] ADVAPI32.DLL!OpenServiceA 77DDB88C 6 Bytes JMP 5F1F0F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] ADVAPI32.DLL!StartServiceW 77DDBBAC 6 Bytes JMP 5F280F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] ADVAPI32.DLL!StartServiceA 77DE3238 6 Bytes JMP 5F250F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] ADVAPI32.DLL!LsaAddAccountRights 77E0A9A1 6 Bytes JMP 5F2B0F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] ADVAPI32.DLL!LsaRemoveAccountRights 77E0AA41 6 Bytes JMP 5F2E0F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] ADVAPI32.DLL!ChangeServiceConfigA 77E26CC9 6 Bytes JMP 5F040F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] ADVAPI32.DLL!ChangeServiceConfigW 77E26E61 6 Bytes JMP 5F070F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] ADVAPI32.DLL!ChangeServiceConfig2A 77E26F61 6 Bytes JMP 5F0A0F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] ADVAPI32.DLL!ChangeServiceConfig2W 77E26FE9 6 Bytes JMP 5F0D0F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] ADVAPI32.DLL!CreateServiceA 77E27071 6 Bytes JMP 5F160F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] ADVAPI32.DLL!CreateServiceW 77E27209 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ADVAPI32.DLL!CreateServiceW + 4 77E2720D 2 Bytes [ 1A, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] ADVAPI32.DLL!DeleteService 77E27311 6 Bytes JMP 5F1C0F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FA60F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F910F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F8E0F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] USER32.dll!GetKeyState 7E36C505 6 Bytes JMP 5F9D0F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] USER32.dll!BeginDeferWindowPos 7E36D907 6 Bytes JMP 5F8B0F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] USER32.dll!GetKeyboardState 7E36EF29 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] USER32.dll!GetKeyboardState + 4 7E36EF2D 2 Bytes [ 9B, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] USER32.dll!GetAsyncKeyState 7E36F3B3 6 Bytes JMP 5F940F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] USER32.dll!CreateAcceleratorTableW 7E37D3C1 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] USER32.dll!CreateAcceleratorTableW + 4 7E37D3C5 2 Bytes [ A1, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] USER32.dll!SetWindowsHookExW 7E37DDB5 6 Bytes JMP 5FA30F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] USER32.dll!SetWindowsHookExA 7E3811D1 6 Bytes JMP 5F880F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] USER32.dll!AttachThreadInput 7E381E12 3 Bytes [ FF, 25, 1E ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] USER32.dll!AttachThreadInput + 4 7E381E16 2 Bytes [ 98, 5F ] .text C:\Program Files\WinRAR\WinRAR.exe[1752] OLE32.DLL!CoCreateInstanceEx 774EFA6B 6 Bytes JMP 5F850F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] OLE32.DLL!CoGetClassObject 77505DB2 6 Bytes JMP 5F820F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] OLE32.DLL!CLSIDFromProgID 775142CC 6 Bytes JMP 5F7F0F5A .text C:\Program Files\WinRAR\WinRAR.exe[1752] OLE32.DLL!CLSIDFromProgIDEx 775461FE 6 Bytes JMP 5F7C0F5A .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 4A, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 6B, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 4D, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtDeleteFile 7C90D88F 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtDeleteFile + 4 7C90D893 2 Bytes [ 6E, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 50, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 53, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtDuplicateObject 7C90D90D 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtDuplicateObject + 4 7C90D911 2 Bytes [ 56, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtEnumerateKey 7C90D94C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtEnumerateKey + 4 7C90D950 2 Bytes [ 59, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtEnumerateValueKey 7C90D976 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtEnumerateValueKey + 4 7C90D97A 2 Bytes [ 5C, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtOpenFile 7C90DCFD 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtOpenFile + 4 7C90DD01 2 Bytes [ 71, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtQueryMultipleValueKey 7C90E0AE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtQueryMultipleValueKey + 4 7C90E0B2 2 Bytes [ 5F, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtQueryValueKey 7C90E1FE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtQueryValueKey + 4 7C90E202 2 Bytes [ 62, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtReadFile 7C90E27C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtReadFile + 4 7C90E280 2 Bytes [ 74, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 77, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 65, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtUnloadKey 7C90E90C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtUnloadKey + 4 7C90E910 2 Bytes [ 68, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 7A, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 47, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\WINDOWS\System32\svchost.exe[1772] kernel32.dll!CreateFileMappingW 7C80938E 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\System32\svchost.exe[1772] kernel32.dll!MapViewOfFileEx 7C80B896 6 Bytes JMP 5F340F5A .text C:\WINDOWS\System32\svchost.exe[1772] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 3E, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] kernel32.dll!CreateProcessInternalW 7C819513 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] kernel32.dll!CreateProcessInternalW + 4 7C819517 2 Bytes [ 44, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [ 41, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\WINDOWS\System32\svchost.exe[1772] ADVAPI32.dll!CloseServiceHandle 77DD5E4D 6 Bytes JMP 5F100F5A .text C:\WINDOWS\System32\svchost.exe[1772] ADVAPI32.dll!OpenServiceW 77DD6165 6 Bytes JMP 5F220F5A .text C:\WINDOWS\System32\svchost.exe[1772] ADVAPI32.dll!ControlService 77DDB635 6 Bytes JMP 5F130F5A .text C:\WINDOWS\System32\svchost.exe[1772] ADVAPI32.dll!OpenServiceA 77DDB88C 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\System32\svchost.exe[1772] ADVAPI32.dll!StartServiceW 77DDBBAC 6 Bytes JMP 5F280F5A .text C:\WINDOWS\System32\svchost.exe[1772] ADVAPI32.dll!StartServiceA 77DE3238 6 Bytes JMP 5F250F5A .text C:\WINDOWS\System32\svchost.exe[1772] ADVAPI32.dll!LsaAddAccountRights 77E0A9A1 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\System32\svchost.exe[1772] ADVAPI32.dll!LsaRemoveAccountRights 77E0AA41 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\System32\svchost.exe[1772] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 6 Bytes JMP 5F040F5A .text C:\WINDOWS\System32\svchost.exe[1772] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 6 Bytes JMP 5F070F5A .text C:\WINDOWS\System32\svchost.exe[1772] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\System32\svchost.exe[1772] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\System32\svchost.exe[1772] ADVAPI32.dll!CreateServiceA 77E27071 6 Bytes JMP 5F160F5A .text C:\WINDOWS\System32\svchost.exe[1772] ADVAPI32.dll!CreateServiceW 77E27209 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] ADVAPI32.dll!CreateServiceW + 4 77E2720D 2 Bytes [ 1A, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ADVAPI32.dll!DeleteService 77E27311 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\System32\svchost.exe[1772] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\System32\svchost.exe[1772] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F910F5A .text C:\WINDOWS\System32\svchost.exe[1772] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\System32\svchost.exe[1772] USER32.dll!GetKeyState 7E36C505 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\System32\svchost.exe[1772] USER32.dll!BeginDeferWindowPos 7E36D907 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\System32\svchost.exe[1772] USER32.dll!GetKeyboardState 7E36EF29 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] USER32.dll!GetKeyboardState + 4 7E36EF2D 2 Bytes [ 9B, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] USER32.dll!GetAsyncKeyState 7E36F3B3 6 Bytes JMP 5F940F5A .text C:\WINDOWS\System32\svchost.exe[1772] USER32.dll!CreateAcceleratorTableW 7E37D3C1 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] USER32.dll!CreateAcceleratorTableW + 4 7E37D3C5 2 Bytes [ A1, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] USER32.dll!SetWindowsHookExW 7E37DDB5 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\System32\svchost.exe[1772] USER32.dll!SetWindowsHookExA 7E3811D1 6 Bytes JMP 5F880F5A .text C:\WINDOWS\System32\svchost.exe[1772] USER32.dll!AttachThreadInput 7E381E12 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[1772] USER32.dll!AttachThreadInput + 4 7E381E16 2 Bytes [ 98, 5F ] .text C:\WINDOWS\System32\svchost.exe[1772] ole32.dll!CoCreateInstanceEx 774EFA6B 6 Bytes JMP 5F850F5A .text C:\WINDOWS\System32\svchost.exe[1772] ole32.dll!CoGetClassObject 77505DB2 6 Bytes JMP 5F820F5A .text C:\WINDOWS\System32\svchost.exe[1772] ole32.dll!CLSIDFromProgID 775142CC 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\System32\svchost.exe[1772] ole32.dll!CLSIDFromProgIDEx 775461FE 6 Bytes JMP 5F7C0F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 4A, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 6B, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 4D, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtDeleteFile 7C90D88F 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtDeleteFile + 4 7C90D893 2 Bytes [ 6E, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 50, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 53, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtDuplicateObject 7C90D90D 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtDuplicateObject + 4 7C90D911 2 Bytes [ 56, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtEnumerateKey 7C90D94C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtEnumerateKey + 4 7C90D950 2 Bytes [ 59, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtEnumerateValueKey 7C90D976 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtEnumerateValueKey + 4 7C90D97A 2 Bytes [ 5C, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtOpenFile 7C90DCFD 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtOpenFile + 4 7C90DD01 2 Bytes [ 71, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtQueryMultipleValueKey 7C90E0AE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtQueryMultipleValueKey + 4 7C90E0B2 2 Bytes [ 5F, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtQueryValueKey 7C90E1FE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtQueryValueKey + 4 7C90E202 2 Bytes [ 62, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtReadFile 7C90E27C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtReadFile + 4 7C90E280 2 Bytes [ 74, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 77, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 65, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtUnloadKey 7C90E90C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtUnloadKey + 4 7C90E910 2 Bytes [ 68, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 7A, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 47, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] kernel32.dll!CreateFileMappingW 7C80938E 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] kernel32.dll!MapViewOfFileEx 7C80B896 6 Bytes JMP 5F340F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 3E, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] kernel32.dll!CreateProcessInternalW 7C819513 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] kernel32.dll!CreateProcessInternalW + 4 7C819517 2 Bytes [ 44, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [ 41, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ADVAPI32.dll!CloseServiceHandle 77DD5E4D 6 Bytes JMP 5F100F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ADVAPI32.dll!OpenServiceW 77DD6165 6 Bytes JMP 5F220F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ADVAPI32.dll!ControlService 77DDB635 6 Bytes JMP 5F130F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ADVAPI32.dll!OpenServiceA 77DDB88C 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ADVAPI32.dll!StartServiceW 77DDBBAC 6 Bytes JMP 5F280F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ADVAPI32.dll!StartServiceA 77DE3238 6 Bytes JMP 5F250F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ADVAPI32.dll!LsaAddAccountRights 77E0A9A1 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ADVAPI32.dll!LsaRemoveAccountRights 77E0AA41 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ADVAPI32.dll!CreateServiceA 77E27071 6 Bytes JMP 5F160F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ADVAPI32.dll!CreateServiceW 77E27209 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ADVAPI32.dll!CreateServiceW + 4 77E2720D 2 Bytes [ 1A, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ADVAPI32.dll!DeleteService 77E27311 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F910F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] USER32.dll!GetKeyState 7E36C505 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] USER32.dll!BeginDeferWindowPos 7E36D907 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] USER32.dll!GetKeyboardState 7E36EF29 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] USER32.dll!GetKeyboardState + 4 7E36EF2D 2 Bytes [ 9B, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] USER32.dll!GetAsyncKeyState 7E36F3B3 6 Bytes JMP 5F940F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] USER32.dll!CreateAcceleratorTableW 7E37D3C1 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] USER32.dll!CreateAcceleratorTableW + 4 7E37D3C5 2 Bytes [ A1, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] USER32.dll!SetWindowsHookExW 7E37DDB5 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] USER32.dll!SetWindowsHookExA 7E3811D1 6 Bytes JMP 5F880F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] USER32.dll!AttachThreadInput 7E381E12 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\system32\spoolsv.exe[2044] USER32.dll!AttachThreadInput + 4 7E381E16 2 Bytes [ 98, 5F ] .text C:\WINDOWS\system32\spoolsv.exe[2044] ole32.dll!CoCreateInstanceEx 774EFA6B 6 Bytes JMP 5F850F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ole32.dll!CoGetClassObject 77505DB2 6 Bytes JMP 5F820F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ole32.dll!CLSIDFromProgID 775142CC 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\system32\spoolsv.exe[2044] ole32.dll!CLSIDFromProgIDEx 775461FE 6 Bytes JMP 5F7C0F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 4A, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 6B, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 4D, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtDeleteFile 7C90D88F 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtDeleteFile + 4 7C90D893 2 Bytes [ 6E, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 50, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 53, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtDuplicateObject 7C90D90D 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtDuplicateObject + 4 7C90D911 2 Bytes [ 56, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtEnumerateKey 7C90D94C 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtEnumerateKey + 4 7C90D950 2 Bytes [ 59, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtEnumerateValueKey 7C90D976 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtEnumerateValueKey + 4 7C90D97A 2 Bytes [ 5C, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtOpenFile 7C90DCFD 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtOpenFile + 4 7C90DD01 2 Bytes [ 71, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtQueryMultipleValueKey 7C90E0AE 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtQueryMultipleValueKey + 4 7C90E0B2 2 Bytes [ 5F, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtQueryValueKey 7C90E1FE 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtQueryValueKey + 4 7C90E202 2 Bytes [ 62, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtReadFile 7C90E27C 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtReadFile + 4 7C90E280 2 Bytes [ 74, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 77, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 65, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtUnloadKey 7C90E90C 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtUnloadKey + 4 7C90E910 2 Bytes [ 68, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 7A, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 47, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] kernel32.dll!CreateFileMappingW 7C80938E 6 Bytes JMP 5F3A0F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] kernel32.dll!MapViewOfFileEx 7C80B896 6 Bytes JMP 5F340F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 3E, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] kernel32.dll!CreateProcessInternalW 7C819513 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] kernel32.dll!CreateProcessInternalW + 4 7C819517 2 Bytes [ 44, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [ 41, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ADVAPI32.dll!CloseServiceHandle 77DD5E4D 6 Bytes JMP 5F100F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ADVAPI32.dll!OpenServiceW 77DD6165 6 Bytes JMP 5F220F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ADVAPI32.dll!ControlService 77DDB635 6 Bytes JMP 5F130F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ADVAPI32.dll!OpenServiceA 77DDB88C 6 Bytes JMP 5F1F0F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ADVAPI32.dll!StartServiceW 77DDBBAC 6 Bytes JMP 5F280F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ADVAPI32.dll!StartServiceA 77DE3238 6 Bytes JMP 5F250F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ADVAPI32.dll!LsaAddAccountRights 77E0A9A1 6 Bytes JMP 5F2B0F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ADVAPI32.dll!LsaRemoveAccountRights 77E0AA41 6 Bytes JMP 5F2E0F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 6 Bytes JMP 5F040F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 6 Bytes JMP 5F070F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 6 Bytes JMP 5F0A0F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 6 Bytes JMP 5F0D0F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ADVAPI32.dll!CreateServiceA 77E27071 6 Bytes JMP 5F160F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ADVAPI32.dll!CreateServiceW 77E27209 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ADVAPI32.dll!CreateServiceW + 4 77E2720D 2 Bytes [ 1A, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ADVAPI32.dll!DeleteService 77E27311 6 Bytes JMP 5F1C0F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FA60F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F910F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F8E0F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] USER32.dll!GetKeyState 7E36C505 6 Bytes JMP 5F9D0F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] USER32.dll!BeginDeferWindowPos 7E36D907 6 Bytes JMP 5F8B0F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] USER32.dll!GetKeyboardState 7E36EF29 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] USER32.dll!GetKeyboardState + 4 7E36EF2D 2 Bytes [ 9B, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] USER32.dll!GetAsyncKeyState 7E36F3B3 6 Bytes JMP 5F940F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] USER32.dll!CreateAcceleratorTableW 7E37D3C1 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] USER32.dll!CreateAcceleratorTableW + 4 7E37D3C5 2 Bytes [ A1, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] USER32.dll!SetWindowsHookExW 7E37DDB5 6 Bytes JMP 5FA30F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] USER32.dll!SetWindowsHookExA 7E3811D1 6 Bytes JMP 5F880F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] USER32.dll!AttachThreadInput 7E381E12 3 Bytes [ FF, 25, 1E ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] USER32.dll!AttachThreadInput + 4 7E381E16 2 Bytes [ 98, 5F ] .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ole32.dll!CoCreateInstanceEx 774EFA6B 6 Bytes JMP 5F850F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ole32.dll!CoGetClassObject 77505DB2 6 Bytes JMP 5F820F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ole32.dll!CLSIDFromProgID 775142CC 6 Bytes JMP 5F7F0F5A .text C:\PROGRA~1\MOZILL~1\FIREFOX.EXE[2628] ole32.dll!CLSIDFromProgIDEx 775461FE 6 Bytes JMP 5F7C0F5A .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 4A, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 6B, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 4D, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtDeleteFile 7C90D88F 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtDeleteFile + 4 7C90D893 2 Bytes [ 6E, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 50, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 53, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtDuplicateObject 7C90D90D 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtDuplicateObject + 4 7C90D911 2 Bytes [ 56, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtEnumerateKey 7C90D94C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtEnumerateKey + 4 7C90D950 2 Bytes [ 59, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtEnumerateValueKey 7C90D976 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtEnumerateValueKey + 4 7C90D97A 2 Bytes [ 5C, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtOpenFile 7C90DCFD 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtOpenFile + 4 7C90DD01 2 Bytes [ 71, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtQueryMultipleValueKey 7C90E0AE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtQueryMultipleValueKey + 4 7C90E0B2 2 Bytes [ 5F, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtQueryValueKey 7C90E1FE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtQueryValueKey + 4 7C90E202 2 Bytes [ 62, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtReadFile 7C90E27C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtReadFile + 4 7C90E280 2 Bytes [ 74, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 77, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 65, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtUnloadKey 7C90E90C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtUnloadKey + 4 7C90E910 2 Bytes [ 68, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 7A, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 47, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\WINDOWS\System32\svchost.exe[2660] kernel32.dll!CreateFileMappingW 7C80938E 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\System32\svchost.exe[2660] kernel32.dll!MapViewOfFileEx 7C80B896 6 Bytes JMP 5F340F5A .text C:\WINDOWS\System32\svchost.exe[2660] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 3E, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] kernel32.dll!CreateProcessInternalW 7C819513 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] kernel32.dll!CreateProcessInternalW + 4 7C819517 2 Bytes [ 44, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [ 41, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\WINDOWS\System32\svchost.exe[2660] ADVAPI32.dll!CloseServiceHandle 77DD5E4D 6 Bytes JMP 5F100F5A .text C:\WINDOWS\System32\svchost.exe[2660] ADVAPI32.dll!OpenServiceW 77DD6165 6 Bytes JMP 5F220F5A .text C:\WINDOWS\System32\svchost.exe[2660] ADVAPI32.dll!ControlService 77DDB635 6 Bytes JMP 5F130F5A .text C:\WINDOWS\System32\svchost.exe[2660] ADVAPI32.dll!OpenServiceA 77DDB88C 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\System32\svchost.exe[2660] ADVAPI32.dll!StartServiceW 77DDBBAC 6 Bytes JMP 5F280F5A .text C:\WINDOWS\System32\svchost.exe[2660] ADVAPI32.dll!StartServiceA 77DE3238 6 Bytes JMP 5F250F5A .text C:\WINDOWS\System32\svchost.exe[2660] ADVAPI32.dll!LsaAddAccountRights 77E0A9A1 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\System32\svchost.exe[2660] ADVAPI32.dll!LsaRemoveAccountRights 77E0AA41 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\System32\svchost.exe[2660] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 6 Bytes JMP 5F040F5A .text C:\WINDOWS\System32\svchost.exe[2660] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 6 Bytes JMP 5F070F5A .text C:\WINDOWS\System32\svchost.exe[2660] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\System32\svchost.exe[2660] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\System32\svchost.exe[2660] ADVAPI32.dll!CreateServiceA 77E27071 6 Bytes JMP 5F160F5A .text C:\WINDOWS\System32\svchost.exe[2660] ADVAPI32.dll!CreateServiceW 77E27209 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] ADVAPI32.dll!CreateServiceW + 4 77E2720D 2 Bytes [ 1A, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ADVAPI32.dll!DeleteService 77E27311 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\System32\svchost.exe[2660] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\System32\svchost.exe[2660] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F910F5A .text C:\WINDOWS\System32\svchost.exe[2660] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\System32\svchost.exe[2660] USER32.dll!GetKeyState 7E36C505 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\System32\svchost.exe[2660] USER32.dll!BeginDeferWindowPos 7E36D907 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\System32\svchost.exe[2660] USER32.dll!GetKeyboardState 7E36EF29 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] USER32.dll!GetKeyboardState + 4 7E36EF2D 2 Bytes [ 9B, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] USER32.dll!GetAsyncKeyState 7E36F3B3 6 Bytes JMP 5F940F5A .text C:\WINDOWS\System32\svchost.exe[2660] USER32.dll!CreateAcceleratorTableW 7E37D3C1 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] USER32.dll!CreateAcceleratorTableW + 4 7E37D3C5 2 Bytes [ A1, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] USER32.dll!SetWindowsHookExW 7E37DDB5 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\System32\svchost.exe[2660] USER32.dll!SetWindowsHookExA 7E3811D1 6 Bytes JMP 5F880F5A .text C:\WINDOWS\System32\svchost.exe[2660] USER32.dll!AttachThreadInput 7E381E12 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\svchost.exe[2660] USER32.dll!AttachThreadInput + 4 7E381E16 2 Bytes [ 98, 5F ] .text C:\WINDOWS\System32\svchost.exe[2660] ole32.dll!CoCreateInstanceEx 774EFA6B 6 Bytes JMP 5F850F5A .text C:\WINDOWS\System32\svchost.exe[2660] ole32.dll!CoGetClassObject 77505DB2 6 Bytes JMP 5F820F5A .text C:\WINDOWS\System32\svchost.exe[2660] ole32.dll!CLSIDFromProgID 775142CC 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\System32\svchost.exe[2660] ole32.dll!CLSIDFromProgIDEx 775461FE 6 Bytes JMP 5F7C0F5A .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 4A, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 6B, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 4D, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtDeleteFile 7C90D88F 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtDeleteFile + 4 7C90D893 2 Bytes [ 6E, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 50, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 53, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtDuplicateObject 7C90D90D 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtDuplicateObject + 4 7C90D911 2 Bytes [ 56, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtEnumerateKey 7C90D94C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtEnumerateKey + 4 7C90D950 2 Bytes [ 59, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtEnumerateValueKey 7C90D976 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtEnumerateValueKey + 4 7C90D97A 2 Bytes [ 5C, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtOpenFile 7C90DCFD 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtOpenFile + 4 7C90DD01 2 Bytes [ 71, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtQueryMultipleValueKey 7C90E0AE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtQueryMultipleValueKey + 4 7C90E0B2 2 Bytes [ 5F, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtQueryValueKey 7C90E1FE 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtQueryValueKey + 4 7C90E202 2 Bytes [ 62, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtReadFile 7C90E27C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtReadFile + 4 7C90E280 2 Bytes [ 74, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 77, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 65, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtUnloadKey 7C90E90C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtUnloadKey + 4 7C90E910 2 Bytes [ 68, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 7A, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 47, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] kernel32.dll!TerminateProcess 7C801E16 6 Bytes JMP 5F310F5A .text C:\WINDOWS\System32\alg.exe[3348] kernel32.dll!CreateFileMappingW 7C80938E 6 Bytes JMP 5F3A0F5A .text C:\WINDOWS\System32\alg.exe[3348] kernel32.dll!MapViewOfFileEx 7C80B896 6 Bytes JMP 5F340F5A .text C:\WINDOWS\System32\alg.exe[3348] kernel32.dll!CreateRemoteThread 7C81042C 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] kernel32.dll!CreateRemoteThread + 4 7C810430 2 Bytes [ 3E, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] kernel32.dll!CreateProcessInternalW 7C819513 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] kernel32.dll!CreateProcessInternalW + 4 7C819517 2 Bytes [ 44, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] kernel32.dll!MoveFileWithProgressW 7C81F72E 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] kernel32.dll!MoveFileWithProgressW + 4 7C81F732 2 Bytes [ 41, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] kernel32.dll!CopyFileExW 7C827B32 6 Bytes JMP 5F370F5A .text C:\WINDOWS\System32\alg.exe[3348] USER32.dll!DispatchMessageW 7E368A01 6 Bytes JMP 5FA60F5A .text C:\WINDOWS\System32\alg.exe[3348] USER32.dll!TranslateMessage 7E368BF6 6 Bytes JMP 5F910F5A .text C:\WINDOWS\System32\alg.exe[3348] USER32.dll!DispatchMessageA 7E3696B8 6 Bytes JMP 5F8E0F5A .text C:\WINDOWS\System32\alg.exe[3348] USER32.dll!GetKeyState 7E36C505 6 Bytes JMP 5F9D0F5A .text C:\WINDOWS\System32\alg.exe[3348] USER32.dll!BeginDeferWindowPos 7E36D907 6 Bytes JMP 5F8B0F5A .text C:\WINDOWS\System32\alg.exe[3348] USER32.dll!GetKeyboardState 7E36EF29 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] USER32.dll!GetKeyboardState + 4 7E36EF2D 2 Bytes [ 9B, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] USER32.dll!GetAsyncKeyState 7E36F3B3 6 Bytes JMP 5F940F5A .text C:\WINDOWS\System32\alg.exe[3348] USER32.dll!CreateAcceleratorTableW 7E37D3C1 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] USER32.dll!CreateAcceleratorTableW + 4 7E37D3C5 2 Bytes [ A1, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] USER32.dll!SetWindowsHookExW 7E37DDB5 6 Bytes JMP 5FA30F5A .text C:\WINDOWS\System32\alg.exe[3348] USER32.dll!SetWindowsHookExA 7E3811D1 6 Bytes JMP 5F880F5A .text C:\WINDOWS\System32\alg.exe[3348] USER32.dll!AttachThreadInput 7E381E12 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] USER32.dll!AttachThreadInput + 4 7E381E16 2 Bytes [ 98, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ADVAPI32.dll!CloseServiceHandle 77DD5E4D 6 Bytes JMP 5F100F5A .text C:\WINDOWS\System32\alg.exe[3348] ADVAPI32.dll!OpenServiceW 77DD6165 6 Bytes JMP 5F220F5A .text C:\WINDOWS\System32\alg.exe[3348] ADVAPI32.dll!ControlService 77DDB635 6 Bytes JMP 5F130F5A .text C:\WINDOWS\System32\alg.exe[3348] ADVAPI32.dll!OpenServiceA 77DDB88C 6 Bytes JMP 5F1F0F5A .text C:\WINDOWS\System32\alg.exe[3348] ADVAPI32.dll!StartServiceW 77DDBBAC 6 Bytes JMP 5F280F5A .text C:\WINDOWS\System32\alg.exe[3348] ADVAPI32.dll!StartServiceA 77DE3238 6 Bytes JMP 5F250F5A .text C:\WINDOWS\System32\alg.exe[3348] ADVAPI32.dll!LsaAddAccountRights 77E0A9A1 6 Bytes JMP 5F2B0F5A .text C:\WINDOWS\System32\alg.exe[3348] ADVAPI32.dll!LsaRemoveAccountRights 77E0AA41 6 Bytes JMP 5F2E0F5A .text C:\WINDOWS\System32\alg.exe[3348] ADVAPI32.dll!ChangeServiceConfigA 77E26CC9 6 Bytes JMP 5F040F5A .text C:\WINDOWS\System32\alg.exe[3348] ADVAPI32.dll!ChangeServiceConfigW 77E26E61 6 Bytes JMP 5F070F5A .text C:\WINDOWS\System32\alg.exe[3348] ADVAPI32.dll!ChangeServiceConfig2A 77E26F61 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\System32\alg.exe[3348] ADVAPI32.dll!ChangeServiceConfig2W 77E26FE9 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\System32\alg.exe[3348] ADVAPI32.dll!CreateServiceA 77E27071 6 Bytes JMP 5F160F5A .text C:\WINDOWS\System32\alg.exe[3348] ADVAPI32.dll!CreateServiceW 77E27209 3 Bytes [ FF, 25, 1E ] .text C:\WINDOWS\System32\alg.exe[3348] ADVAPI32.dll!CreateServiceW + 4 77E2720D 2 Bytes [ 1A, 5F ] .text C:\WINDOWS\System32\alg.exe[3348] ADVAPI32.dll!DeleteService 77E27311 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\System32\alg.exe[3348] ole32.dll!CoCreateInstanceEx 774EFA6B 6 Bytes JMP 5F850F5A .text C:\WINDOWS\System32\alg.exe[3348] ole32.dll!CoGetClassObject 77505DB2 6 Bytes JMP 5F820F5A .text C:\WINDOWS\System32\alg.exe[3348] ole32.dll!CLSIDFromProgID 775142CC 6 Bytes JMP 5F7F0F5A .text C:\WINDOWS\System32\alg.exe[3348] ole32.dll!CLSIDFromProgIDEx 775461FE 6 Bytes JMP 5F7C0F5A ---- Kernel IAT/EAT - GMER 1.0.13 ---- IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F831F50A] netflt.sys IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F831F560] netflt.sys IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F831FA04] netflt.sys IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F831F9D4] netflt.sys IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F831F9D4] netflt.sys IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F831F560] netflt.sys IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F831F50A] netflt.sys IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F831FA04] netflt.sys IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F831FA04] netflt.sys IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F831F9D4] netflt.sys IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F831F560] netflt.sys IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F831F50A] netflt.sys IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F831F9D4] netflt.sys IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F831F50A] netflt.sys IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F831F560] netflt.sys IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F831FA04] netflt.sys IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F831F50A] netflt.sys IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F831F560] netflt.sys IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F831F9D4] netflt.sys IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F831FA04] netflt.sys IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F831F9D4] netflt.sys IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F831F560] netflt.sys IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F831F50A] netflt.sys IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisOpenAdapter] [F831F560] netflt.sys IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisRegisterProtocol] [F831F9D4] netflt.sys IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisCloseAdapter] [F831F50A] netflt.sys IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisDeregisterProtocol] [F831FA04] netflt.sys IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F831F9D4] netflt.sys IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F831FA04] netflt.sys IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F831F50A] netflt.sys IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F831F560] netflt.sys ---- Devices - GMER 1.0.13 ---- Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [EC914810] ShldDrv.SYS Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 823465F0 Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [EC914BD8] ShldDrv.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F87B8BF4] SSFS041A.SYS AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F8416F70] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F8416F70] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F8417160] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F8416F70] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F840AF08] fltmgr.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [AB8EF1E0] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [AB8F01A4] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [AB8F421E] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [AB8EF868] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [AB8EF868] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [AB8F01A4] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [AB8EF312] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [AB8EE38A] pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [AB110448] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [AB1111E2] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [AB10F92A] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [AB112950] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [AB110934] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [AB110934] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [AB112BDE] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [AB111388] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [AB10F7B8] av5flt.sys AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [AB10F7B8] av5flt.sys AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [AEE9761C] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [AEE97B5A] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [AEE9BFEC] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [AEE9BDD2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [AEE97812] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [AEE9761C] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [AEE97B5A] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [AEE9BFEC] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [AEE9BDD2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [AEE97812] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [AEE964F2] NETFLTDI.SYS Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 81E20B88 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 81E20B88 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 81E6C1E8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 81E20B88 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 81E20B88 Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 818204D0 AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [AEE9761C] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [AEE97B5A] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [AEE9BFEC] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [AEE9BDD2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [AEE97812] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [AEE964F2] NETFLTDI.SYS Device \Driver\nvatabus \Device\00000089 IRP_MJ_CREATE 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_CREATE_NAMED_PIPE 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_CLOSE 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_READ 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_WRITE 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_QUERY_INFORMATION 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_SET_INFORMATION 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_QUERY_EA 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_SET_EA 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_FLUSH_BUFFERS 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_QUERY_VOLUME_INFORMATION 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_SET_VOLUME_INFORMATION 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_DIRECTORY_CONTROL 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_FILE_SYSTEM_CONTROL 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_DEVICE_CONTROL 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_INTERNAL_DEVICE_CONTROL 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_SHUTDOWN 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_LOCK_CONTROL 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_CLEANUP 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_CREATE_MAILSLOT 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_QUERY_SECURITY 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_SET_SECURITY 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_POWER 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_SYSTEM_CONTROL 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_DEVICE_CHANGE 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_QUERY_QUOTA 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_SET_QUOTA 81F93448 Device \Driver\nvatabus \Device\00000089 IRP_MJ_PNP 81F93448 AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [AEE9761C] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [AEE97B5A] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [AEE9BFEC] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [AEE9BDD2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [AEE97812] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [AEE964F2] NETFLTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [AEE964F2] NETFLTDI.SYS Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_CREATE 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_CREATE_NAMED_PIPE 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_CLOSE 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_READ 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_WRITE 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_QUERY_INFORMATION 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_SET_INFORMATION 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_QUERY_EA 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_SET_EA 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_FLUSH_BUFFERS 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_QUERY_VOLUME_INFORMATION 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_SET_VOLUME_INFORMATION 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_DIRECTORY_CONTROL 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_FILE_SYSTEM_CONTROL 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_DEVICE_CONTROL 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_SHUTDOWN 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_LOCK_CONTROL 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_CLEANUP 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_CREATE_MAILSLOT 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_QUERY_SECURITY 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_SET_SECURITY 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_POWER 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_SYSTEM_CONTROL 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_DEVICE_CHANGE 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_QUERY_QUOTA 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_SET_QUOTA 81F93448 Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_PNP 81F93448 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 81DC4198 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 81DC4198 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 81EA9458 Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 81E7DFB0 Device \Driver\nvatabus \Device\0000008a IRP_MJ_CREATE 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_CREATE_NAMED_PIPE 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_CLOSE 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_READ 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_WRITE 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_QUERY_INFORMATION 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_SET_INFORMATION 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_QUERY_EA 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_SET_EA 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_FLUSH_BUFFERS 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_QUERY_VOLUME_INFORMATION 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_SET_VOLUME_INFORMATION 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_DIRECTORY_CONTROL 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_FILE_SYSTEM_CONTROL 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_DEVICE_CONTROL 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_INTERNAL_DEVICE_CONTROL 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_SHUTDOWN 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_LOCK_CONTROL 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_CLEANUP 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_CREATE_MAILSLOT 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_QUERY_SECURITY 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_SET_SECURITY 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_POWER 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_SYSTEM_CONTROL 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_DEVICE_CHANGE 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_QUERY_QUOTA 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_SET_QUOTA 81F93448 Device \Driver\nvatabus \Device\0000008a IRP_MJ_PNP 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_CREATE 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_CREATE_NAMED_PIPE 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_CLOSE 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_READ 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_WRITE 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_QUERY_INFORMATION 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_SET_INFORMATION 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_QUERY_EA 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_SET_EA 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_FLUSH_BUFFERS 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_QUERY_VOLUME_INFORMATION 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_SET_VOLUME_INFORMATION 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_DIRECTORY_CONTROL 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_FILE_SYSTEM_CONTROL 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_DEVICE_CONTROL 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_INTERNAL_DEVICE_CONTROL 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_SHUTDOWN 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_LOCK_CONTROL 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_CLEANUP 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_CREATE_MAILSLOT 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_QUERY_SECURITY 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_SET_SECURITY 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_POWER 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_SYSTEM_CONTROL 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_DEVICE_CHANGE 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_QUERY_QUOTA 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_SET_QUOTA 81F93448 Device \Driver\nvatabus \Device\0000008b IRP_MJ_PNP 81F93448 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_CREATE 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_CLOSE 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_READ 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_WRITE 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_SET_INFORMATION 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_QUERY_EA 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_SET_EA 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_SHUTDOWN 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_CLEANUP 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_SET_SECURITY 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_POWER 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_SET_QUOTA 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 IRP_MJ_PNP 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_NAMED_PIPE 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLOSE 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_READ 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_WRITE 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_INFORMATION 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_INFORMATION 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_EA 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_EA 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FLUSH_BUFFERS 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_VOLUME_INFORMATION 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_VOLUME_INFORMATION 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DIRECTORY_CONTROL 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FILE_SYSTEM_CONTROL 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CONTROL 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SHUTDOWN 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_LOCK_CONTROL 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLEANUP 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_MAILSLOT 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_SECURITY 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_SECURITY 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_POWER 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SYSTEM_CONTROL 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CHANGE 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_QUOTA 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_QUOTA 81FC4170 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_PNP 81FC4170 Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 81DE0EB8 Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 81DE0EB8 Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 81DE0EB8 Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 81DE0EB8 Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 81DE0EB8 Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 8200CE70 ---- Registry - GMER 1.0.13 ---- Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ... Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ... Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ... Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ... Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ... Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ... Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ... Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ... Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ... Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ... Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ... Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ... ---- EOF - GMER 1.0.13 ----

amiigo
Dodano:
23.07.2007 05:04:37
Komentarzy:
1
Strona 1 / 1