GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-06 14:46:07 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Scsi\Si3112r1Port2Path0Target0Lun0 ST316082 rev.3.03 149,05GB Running: xuo0hff4.exe; Driver: C:\DOCUME~1\Dom\USTAWI~1\Temp\afldrkow.sys ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xA58EDF04] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwClose [0xA58EF5D6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0xA58ED14A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateEvent [0xA58EC220] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateEventPair [0xA58EC278] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xA58EDB32] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateKey [0xA58EEB3A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateMutant [0xA58EC1CA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreatePort [0xA58EC172] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSection [0xA58ED84E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSemaphore [0xA58EC2CA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xA58F08AC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread [0xA58ECAF4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteKey [0xA58EE2BE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteValueKey [0xA58EE534] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDuplicateObject [0xA58EC8DE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateKey [0xA58EF6EC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateValueKey [0xA58EF900] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0xA58F02B2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xA58ED422] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeKey [0xA58F0B7E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeMultipleKeys [0xA58EF4AA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xA58EDD2A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenKey [0xA58EEA1C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenProcess [0xA58EC322] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0xA58ED6D6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenThread [0xA58EC62E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryKey [0xA58EFA72] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xA58EFD26] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryValueKey [0xA58EFBA4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRenameKey [0xA58EF198] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetInformationProcess [0xA58EE0F8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSecurityObject [0xA58EE840] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0xA58F05B2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetValueKey [0xA58EEE56] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0xA58ED398] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0xA58ED5C2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateProcess [0xA58ECF2A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread [0xA58ECCF8] ---- User code sections - GMER 2.1 ---- .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Documents and Settings\Dom\Moje dokumenty\Pobrane\xuo0hff4.exe[1780] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1104] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[1464] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00402960 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[1464] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00402710 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[1464] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 00402620 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3508] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00431A90 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1156] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 0040E6A0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1156] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 004B76C0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1156] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 004B75D0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1136] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01AFAF5D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01AFBFAC C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01AFB5A5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] kernel32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 0185AFF1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 00AEA8A8 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0178B983 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 0178B6C3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 0178B7F8 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 0178B6FD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 01B12E91 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 0178BB27 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 01B12EE1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 025DAE81 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3776] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\TeamViewer\TeamViewer.exe[1584] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\TeamViewer\TeamViewer_Service.exe[2016] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\TeamViewer\tv_w32.exe[3524] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\TeamViewer\tv_w32.exe[3524] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\TeamViewer\tv_w32.exe[3524] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\TeamViewer\tv_w32.exe[3524] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\TeamViewer\tv_w32.exe[3524] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Program Files\TeamViewer\tv_w32.exe[3524] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\tv_w32.exe[3524] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\TeamViewer\tv_w32.exe[3524] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\TeamViewer\tv_w32.exe[3524] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Program Files\TeamViewer\tv_w32.exe[3524] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\tv_w32.exe[3524] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Program Files\TeamViewer\tv_w32.exe[3524] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\tv_w32.exe[3524] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\TeamViewer\tv_w32.exe[3524] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\tv_w32.exe[3524] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\TeamViewer\tv_w32.exe[3524] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\tv_w32.exe[3524] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\TeamViewer\tv_w32.exe[3524] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\TeamViewer\tv_w32.exe[3524] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\TeamViewer\tv_w32.exe[3524] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\TeamViewer\tv_w32.exe[3524] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\TeamViewer\tv_w32.exe[3524] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A ---- Files - GMER 2.1 ---- File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029895.ini 2271145 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029896.ini 2281244 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029897.ini 2271145 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029898.properties 842 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029899.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029900.lnk 427 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029901.lnk 713 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029902.ini 464 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029903.ini 62 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029904.ini 62 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029905.ini 62 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029906.lnk 1693 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029907.sys 13368 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029908.inf 1564 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029909.sys 13368 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029910.cat 8699 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029911.sys 13368 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029912.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029913.INI 415836 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\A0029914.properties 842 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\change.log.1 50006 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\change.log.2 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\drivetable.txt 134 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\RestorePointSize 8 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\rp.log 536 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP110\snapshot 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029915.ini 2279143 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029916.ini 2281305 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029917.ini 2280816 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029918.lnk 725 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029919.crl 37598 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029920.crl 933 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029921.lnk 713 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029922.lnk 713 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029923.lnk 713 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029924.lnk 713 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029925.lnk 725 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029926.lnk 713 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029927.lnk 713 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029928.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029929.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029930.lnk 805 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029931.lnk 497 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029932.LNK 762 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029933.LNK 497 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029934.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029935.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029936.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029937.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029938.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029939.inf 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029940.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029941.cat 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029942.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029943.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029944.INI 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029945.properties 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029946.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029947.lnk 713 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029948.LNK 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029949.LNK 641 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029950.ini 1309 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029951.ini 464 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029952.ini 2280817 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029953.ini 27342 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029954.lnk 642 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029955.lnk 848 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029956.lnk 558 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029957.lnk 830 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029958.lnk 625 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029959.lnk 427 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029960.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029961.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029962.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029963.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029964.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029965.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029966.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029967.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029968.sys 13368 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029969.inf 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029970.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029971.cat 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029972.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029973.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029974.INI 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\A0029975.properties 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\change.log.1 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\change.log.2 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\change.log.3 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\drivetable.txt 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\RestorePointSize 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\rp.log 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP111\snapshot 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031076.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031077.ini 2294827 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031078.INI 767662 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031079.mof 175388 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031080.mof 26038 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031081.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031082.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031083.manifest 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031084.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031085.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031086.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031087.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031088.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031089.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031090.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031091.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031092.Dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031094.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031095.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031096.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031097.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031098.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031099.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031100.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031101.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031102.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031103.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031104.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031105.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031106.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031107.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031108.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031109.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031111.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031112.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031113.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031114.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031115.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031116.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031117.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031118.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031119.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031120.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031121.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031122.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031123.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031124.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031125.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031126.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031127.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031129.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031130.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031131.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031132.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031133.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031134.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031135.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031136.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031137.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031138.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031139.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031140.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031141.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031142.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031143.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031144.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP115\A0031145.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033093.dll 81784 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033094.dll 2970968 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033095.dll 753832 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033096.dll 829280 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033097.dll 401536 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033098.dll 285072 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033099.dll 184976 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033100.dll 3513432 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033101.dll 616568 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033102.dll 378720 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033103.dll 268448 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033104.dll 113512 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033105.dll 5029448 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033106.dll 1711496 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033107.dll 2213528 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033108.dll 39784 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033110.dll 210816 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033111.dll 81800 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033112.dll 1339736 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033113.dll 50552 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033114.dll 4464480 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033115.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033116.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033117.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033118.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033119.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033120.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033121.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033122.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033123.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033124.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033125.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033126.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033128.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033129.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033130.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033131.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033132.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP116\A0033133.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP117\A0033533.ini 62 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP117\A0033534.ini 62 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP117\A0033535.ini 62 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP117\A0033536.sys 13368 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP117\A0033537.inf 1564 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP117\A0033538.sys 13368 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP117\A0033539.cat 8699 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP117\A0033540.lnk 1693 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP117\A0033541.sys 13368 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP117\A0033542.ini 2476 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033599.ini 2294827 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033600.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033601.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033602.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033603.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033604.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033605.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033606.inf 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033607.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033608.cat 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033609.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033610.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033611.INI 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033612.properties 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033613.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033614.ini 2300567 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033615.lnk 698 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033616.lnk 773 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033617.crl 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033618.crl 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033619.lnk 773 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033620.lnk 773 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033621.lnk 763 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033622.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033623.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033624.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033625.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033626.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033627.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033628.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033629.inf 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033630.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033631.cat 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033632.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033633.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033634.ini 2300569 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033635.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033636.ini 2301824 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033637.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033638.INI 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\A0033639.properties 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\change.log.1 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\change.log.2 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\change.log.3 33552 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\drivetable.txt 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\RestorePointSize 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\rp.log 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP118\snapshot 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033758.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033759.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033760.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033761.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033762.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033763.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033764.sys 13368 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033765.inf 1564 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033766.sys 13368 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033767.cat 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033768.sys 13368 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033769.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033770.ini 2476 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033771.INI 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033772.properties 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033773.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033774.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033775.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033776.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033777.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033778.inf 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033779.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033780.cat 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033781.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033782.ini 2304922 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033783.ini 2317784 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033784.ini 2309603 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033785.ini 2476 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033786.INI 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033787.properties 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033788.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033789.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033790.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033791.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033792.inf 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033793.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033794.cat 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033795.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033796.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033797.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033798.INI 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\A0033799.properties 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\change.log.1 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\change.log.2 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\change.log.3 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\change.log.4 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\drivetable.txt 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\RestorePointSize 8 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\rp.log 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP120\snapshot 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP121\A0033818.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP121\A0033819.inf 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP121\A0033820.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP121\A0033821.cat 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP121\A0033822.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP121\A0033823.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP121\A0033824.ini 2476 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP121\A0033825.INI 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP121\A0033826.properties 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP121\change.log.1 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP121\change.log.2 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP121\change.log.3 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP121\drivetable.txt 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP121\RestorePointSize 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP121\rp.log 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP121\snapshot 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033827.exe 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033828.ocx 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033829.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033830.exe 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033831.cpl 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033832.exe 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033833.exe 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033834.dll 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033835.exe 1157320 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033836.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033837.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033838.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033839.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033840.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033841.LNK 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033842.LNK 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033843.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033844.LNK 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033845.LNK 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033846.properties 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033847.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033848.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033849.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033850.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033851.inf 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033852.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033853.cat 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033854.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033855.sys 13368 bytes executable File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033856.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033857.INI 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033858.properties 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033859.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033860.LNK 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033861.LNK 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033862.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033863.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033864.LNK 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033865.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033866.LNK 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033867.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033868.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033869.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033870.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033871.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033872.inf 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033873.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033874.cat 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033875.lnk 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033876.sys 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033877.ini 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033878.INI 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\A0033879.properties 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\change.log.1 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\change.log.2 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\change.log.3 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\drivetable.txt 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\RestorePointSize 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\rp.log 0 bytes File C:\System Volume Information\_restore{8FF8F469-B1D7-4BE0-A09B-6105698FD774}\RP122\snapshot 0 bytes ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\Domino.EXE[588] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\Domino.EXE[588] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\Domino.EXE[588] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\Domino.EXE[588] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\Domino.EXE[588] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\Domino.EXE[588] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Domino.EXE[588] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\Domino.EXE[588] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\Domino.EXE[588] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\Domino.EXE[588] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Domino.EXE[588] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\Domino.EXE[588] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Domino.EXE[588] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\Domino.EXE[588] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Domino.EXE[588] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\Domino.EXE[588] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Domino.EXE[588] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\Domino.EXE[588] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Domino.EXE[588] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\Domino.EXE[588] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\Domino.EXE[588] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\Domino.EXE[588] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\Explorer.EXE[1716] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\Explorer.EXE[1716] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\Explorer.EXE[1716] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\Explorer.EXE[1716] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\Explorer.EXE[1716] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\Explorer.EXE[1716] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\Explorer.EXE[1716] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\Explorer.EXE[1716] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1716] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\Explorer.EXE[1716] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\Explorer.EXE[1716] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\Explorer.EXE[1716] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1716] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\Explorer.EXE[1716] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1716] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\Explorer.EXE[1716] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1716] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\Explorer.EXE[1716] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1716] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\Explorer.EXE[1716] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1716] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\Explorer.EXE[1716] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\Explorer.EXE[1716] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\Explorer.EXE[1716] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\Mixer.exe[2012] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\Mixer.exe[2012] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\Mixer.exe[2012] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\Mixer.exe[2012] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\Mixer.exe[2012] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\Mixer.exe[2012] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\Mixer.exe[2012] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\Mixer.exe[2012] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Mixer.exe[2012] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\Mixer.exe[2012] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\Mixer.exe[2012] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\Mixer.exe[2012] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Mixer.exe[2012] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\Mixer.exe[2012] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Mixer.exe[2012] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\Mixer.exe[2012] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Mixer.exe[2012] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\Mixer.exe[2012] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Mixer.exe[2012] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\Mixer.exe[2012] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Mixer.exe[2012] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\Mixer.exe[2012] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\Mixer.exe[2012] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\Mixer.exe[2012] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\SOUNDMAN.EXE[984] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\SOUNDMAN.EXE[984] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\SOUNDMAN.EXE[984] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\SOUNDMAN.EXE[984] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\SOUNDMAN.EXE[984] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\SOUNDMAN.EXE[984] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SOUNDMAN.EXE[984] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\SOUNDMAN.EXE[984] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\SOUNDMAN.EXE[984] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\SOUNDMAN.EXE[984] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SOUNDMAN.EXE[984] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\SOUNDMAN.EXE[984] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SOUNDMAN.EXE[984] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\SOUNDMAN.EXE[984] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SOUNDMAN.EXE[984] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\SOUNDMAN.EXE[984] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SOUNDMAN.EXE[984] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\SOUNDMAN.EXE[984] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SOUNDMAN.EXE[984] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\SOUNDMAN.EXE[984] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\SOUNDMAN.EXE[984] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\SOUNDMAN.EXE[984] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\System32\alg.exe[472] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\System32\alg.exe[472] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\System32\alg.exe[472] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7191000A .text C:\WINDOWS\System32\alg.exe[472] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718E000A .text C:\WINDOWS\System32\alg.exe[472] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7188000A .text C:\WINDOWS\System32\alg.exe[472] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718B000A .text C:\WINDOWS\System32\alg.exe[472] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 717F000A .text C:\WINDOWS\System32\alg.exe[472] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[472] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [96, 71] .text C:\WINDOWS\System32\alg.exe[472] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\alg.exe[472] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7185000A .text C:\WINDOWS\System32\alg.exe[472] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[472] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [81, 71] .text C:\WINDOWS\System32\alg.exe[472] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[472] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A3, 71] .text C:\WINDOWS\System32\alg.exe[472] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[472] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\System32\alg.exe[472] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[472] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [72, 71] {JB 0x73} .text C:\WINDOWS\System32\alg.exe[472] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[472] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6F, 71] .text C:\WINDOWS\System32\alg.exe[472] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717C000A .text C:\WINDOWS\System32\alg.exe[472] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7179000A .text C:\WINDOWS\System32\alg.exe[472] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7176000A .text C:\WINDOWS\system32\csrss.exe[704] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\csrss.exe[704] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 10001D70 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\ctfmon.exe[2200] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\ctfmon.exe[2200] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\ctfmon.exe[2200] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\ctfmon.exe[2200] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\ctfmon.exe[2200] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\ctfmon.exe[2200] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[2200] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\ctfmon.exe[2200] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\ctfmon.exe[2200] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\ctfmon.exe[2200] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[2200] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\ctfmon.exe[2200] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[2200] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\ctfmon.exe[2200] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[2200] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\ctfmon.exe[2200] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[2200] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\ctfmon.exe[2200] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[2200] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\ctfmon.exe[2200] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\ctfmon.exe[2200] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\ctfmon.exe[2200] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\system32\lsass.exe[788] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7194000A .text C:\WINDOWS\system32\lsass.exe[788] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7191000A .text C:\WINDOWS\system32\lsass.exe[788] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718B000A .text C:\WINDOWS\system32\lsass.exe[788] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718E000A .text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7182000A .text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [99, 71] .text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7188000A .text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [84, 71] .text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A2, 71] .text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [75, 71] {JNZ 0x73} .text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[788] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [72, 71] {JB 0x73} .text C:\WINDOWS\system32\lsass.exe[788] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717F000A .text C:\WINDOWS\system32\lsass.exe[788] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717C000A .text C:\WINDOWS\system32\lsass.exe[788] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7179000A .text C:\WINDOWS\system32\RunDll32.exe[2312] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\RunDll32.exe[2312] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\RunDll32.exe[2312] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\RunDll32.exe[2312] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\RunDll32.exe[2312] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\RunDll32.exe[2312] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDll32.exe[2312] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\RunDll32.exe[2312] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\RunDll32.exe[2312] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\RunDll32.exe[2312] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDll32.exe[2312] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\RunDll32.exe[2312] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDll32.exe[2312] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\RunDll32.exe[2312] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDll32.exe[2312] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\RunDll32.exe[2312] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDll32.exe[2312] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\RunDll32.exe[2312] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDll32.exe[2312] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\RunDll32.exe[2312] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\RunDll32.exe[2312] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\RunDll32.exe[2312] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\services.exe[776] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\services.exe[776] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\services.exe[776] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\services.exe[776] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\services.exe[776] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\services.exe[776] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\services.exe[776] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[776] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\services.exe[776] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[776] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\services.exe[776] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[776] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\services.exe[776] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[776] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\services.exe[776] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[776] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\services.exe[776] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\services.exe[776] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\services.exe[776] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\services.exe[776] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\spoolsv.exe[1884] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\system32\spoolsv.exe[1884] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\system32\spoolsv.exe[1884] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\spoolsv.exe[1884] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\spoolsv.exe[1884] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\spoolsv.exe[1884] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\spoolsv.exe[1884] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\spoolsv.exe[1884] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1884] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\spoolsv.exe[1884] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\spoolsv.exe[1884] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\spoolsv.exe[1884] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1884] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\spoolsv.exe[1884] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1884] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\spoolsv.exe[1884] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1884] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\spoolsv.exe[1884] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1884] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1884] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1884] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1884] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\spoolsv.exe[1884] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\spoolsv.exe[1884] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1032] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1032] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1032] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1032] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1032] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1032] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1032] rpcss.dll!WhichService 76A64234 8 Bytes [70, 92, 01, 10, 30, 90, 01, ...] .text C:\WINDOWS\system32\svchost.exe[1032] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1032] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1032] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1128] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1128] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1128] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1128] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1128] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1128] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1128] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1212] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1212] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1212] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1212] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1212] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1212] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1212] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1212] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1324] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1324] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1324] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1324] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1324] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1324] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1324] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1484] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1484] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1484] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1484] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1484] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1484] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1484] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\System32\svchost.exe[2304] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\System32\svchost.exe[2304] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\System32\svchost.exe[2304] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\System32\svchost.exe[2304] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\System32\svchost.exe[2304] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\System32\svchost.exe[2304] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\System32\svchost.exe[2304] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\System32\svchost.exe[2304] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[2304] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\System32\svchost.exe[2304] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\svchost.exe[2304] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\System32\svchost.exe[2304] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[2304] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\System32\svchost.exe[2304] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[2304] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\System32\svchost.exe[2304] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[2304] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\System32\svchost.exe[2304] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[2304] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\System32\svchost.exe[2304] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[2304] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\System32\svchost.exe[2304] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\System32\svchost.exe[2304] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\System32\svchost.exe[2304] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, AE, 01, 10] .text C:\WINDOWS\system32\svchost.exe[700] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, AE, 01, 10] {MOV AL, 0xae; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[700] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[700] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[700] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[700] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[700] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[700] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[700] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[700] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[700] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[700] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[700] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[700] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[700] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[700] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[700] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[700] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[948] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[948] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[948] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[948] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[948] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[948] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[948] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[948] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\VMSnap3.EXE[340] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\VMSnap3.EXE[340] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\VMSnap3.EXE[340] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\VMSnap3.EXE[340] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\VMSnap3.EXE[340] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\VMSnap3.EXE[340] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\VMSnap3.EXE[340] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\VMSnap3.EXE[340] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\VMSnap3.EXE[340] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\VMSnap3.EXE[340] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\VMSnap3.EXE[340] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\VMSnap3.EXE[340] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\VMSnap3.EXE[340] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\VMSnap3.EXE[340] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\VMSnap3.EXE[340] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\VMSnap3.EXE[340] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\VMSnap3.EXE[340] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\VMSnap3.EXE[340] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\VMSnap3.EXE[340] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\VMSnap3.EXE[340] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\VMSnap3.EXE[340] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\VMSnap3.EXE[340] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!_abnormal_termination + 114 804E26E8 16 Bytes [4E, D8, 8E, A5, CA, C2, 8E, ...] {DEC ESI; FMUL DWORD [ESI-0x713d355b]; MOVSD ; LODSB ; OR [EDI-0x71350b5b], CL; MOVSD } .text ntoskrnl.exe!_abnormal_termination + 228 804E27FC 4 Bytes [1C, EA, 8E, A5] .text ntoskrnl.exe!_abnormal_termination + 400 804E29D4 4 Bytes [40, E8, 8E, A5] .text ntoskrnl.exe!_abnormal_termination + D8 804E26AC 12 Bytes [20, C2, 8E, A5, 78, C2, 8E, ...] ---- EOF - GMER 2.1 ----