GMER 1.0.15.15125 -
http://www.gmer.netRootkit scan 2009-10-15 20:24:08
Windows 5.1.2600 Service Pack 3
Running: s4xiovdz.exe; Driver: C:\DOCUME~1\Simon\LOCALS~1\Temp\kfrcipob.sys
---- System - GMER 1.0.15 ----
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xBA6E9D72]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xBA6CA9A6]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xBA6CAB98]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xBA6EA568]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xBA6EA820]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xBA6E8A80]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xBA6EAC8A]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xBA6EA036]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xBA6CA656]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB29B34EC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB29B3635]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB29B361F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB29B352C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB29B3661]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB29B3470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB29B3484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB29B3500]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB29B369D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB29B3609]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB29B35F3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB29B3689]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB29B3675]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB29B34D8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB29B34C4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB29B364B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB29B3542]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB29B3516]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B29B351A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B29B34F0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 3 Bytes JMP B29B3530 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection + 4 805B2008 3 Bytes [32, 90, 90]
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP B29B3546 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP B29B3504 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP B29B3474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP B29B3488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP B29B34C8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP B29B34DC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EA 7 Bytes JMP B29B35F7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622062 7 Bytes JMP B29B364F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622900 7 Bytes JMP B29B360D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 7 Bytes JMP B29B3639 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425C 7 Bytes JMP B29B3623 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EAA 7 Bytes JMP B29B36A1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062516A 5 Bytes JMP B29B3679 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585E 5 Bytes JMP B29B368D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625978 5 Bytes JMP B29B3665 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02470001
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[148] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01660001
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\McAfee\MSK\MskSrver.exe[252] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00650001
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[324] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[384] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[384] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 008E0001
.text C:\WINDOWS\system32\nvsvc32.exe[384] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\nvsvc32.exe[384] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2D, 5F]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [18, 5F]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0C, 5F] {OR AL, 0x5f}
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [12, 5F]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [15, 5F]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [21, 5F]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0F, 5F]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1B, 5F]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [2A, 5F]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 002600B6
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260091
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00260080
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0026006F
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00260054
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002600F5
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002600E4
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0026011A
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00260F8B
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00260F5C
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00260FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0026000A
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 002600C7
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0026002F
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00260FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[412] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00260F9C
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00350FB2
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00350F6B
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00350FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00350FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00350F86
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00350FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00350F97
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [55, 88]
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0035001E
.text C:\Program Files\Internet Explorer\iexplore.exe[412] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[412] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F330F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[412] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[412] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2F0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[412] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[412] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[412] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[412] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[412] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[412] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[412] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[412] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360F9C
.text C:\Program Files\Internet Explorer\iexplore.exe[412] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360031
.text C:\Program Files\Internet Explorer\iexplore.exe[412] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360016
.text C:\Program Files\Internet Explorer\iexplore.exe[412] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360FE3
.text C:\Program Files\Internet Explorer\iexplore.exe[412] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360FC1
.text C:\Program Files\Internet Explorer\iexplore.exe[412] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360FD2
.text C:\Program Files\Internet Explorer\iexplore.exe[412] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00980FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[412] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0098000A
.text C:\Program Files\Internet Explorer\iexplore.exe[412] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00980FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[412] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0098002F
.text C:\Program Files\Internet Explorer\iexplore.exe[412] ws2_32.dll!socket 71AB4211 5 Bytes JMP 01070FEF
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\csrss.exe[652] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 016C0001
.text C:\WINDOWS\system32\csrss.exe[652] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\csrss.exe[652] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01390001
.text C:\WINDOWS\system32\winlogon.exe[676] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\winlogon.exe[676] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2D, 5F]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [18, 5F]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0C, 5F] {OR AL, 0x5f}
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [12, 5F]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [15, 5F]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [21, 5F]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0F, 5F]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1B, 5F]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[732] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [2A, 5F]
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01060FEF
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010600B5
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0106009A
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01060FC0
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0106007D
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01060051
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010600DC
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01060F94
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01060F39
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01060F5E
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010600ED
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01060062
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0106000A
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01060FAF
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01060040
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01060025
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01060F6F
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF0FDB
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF0087
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF0022
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF0011
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FF006C
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FF0FC0
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1F, 89]
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FF0051
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0FCA
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0055
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0044
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE0029
.text C:\WINDOWS\system32\services.exe[732] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F330F5A
.text C:\WINDOWS\system32\services.exe[732] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2F0F5A
.text C:\WINDOWS\system32\services.exe[732] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2D, 5F]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [18, 5F]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtDeleteKey + 4 7C90D252 2 Bytes [0C, 5F] {OR AL, 0x5f}
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [12, 5F]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtRenameKey 7C90DA5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtRenameKey + 4 7C90DA62 2 Bytes [15, 5F]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtSetInformationFile 7C90DC5E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtSetInformationFile + 4 7C90DC62 2 Bytes [21, 5F]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [0F, 5F]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtWriteFile + 4 7C90DF82 2 Bytes [1B, 5F]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtWriteFileGather 7C90DF8E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtWriteFileGather + 4 7C90DF92 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[744] ntdll.dll!NtWriteVirtualMemory + 4 7C90DFB2 2 Bytes [2A, 5F]
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F800BC
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F800AB
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F8008E
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80073
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F8004E
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F800ED
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F80F9B
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F80F54
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateProcessA 7C80236B 1 Byte [E9]
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F80F6F
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F800FE
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80FD1
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80011
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F80FAC
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F80033
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F80022
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F80F80
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F70047
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F700A9
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F70036
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F7001B
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F70084
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F7000A
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F70073
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F70058
.text C:\WINDOWS\system32\lsass.exe[744] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F330F5A
.text C:\WINDOWS\system32\lsass.exe[744] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F2F0F5A
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F60062
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F60047
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F60FD7
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F6002C
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F60011
.text C:\WINDOWS\system32\lsass.exe[744] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [2D, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [18, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateSection 7C90D17E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtCreateSection + 4 7C90D182 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtDeleteKey 7C90D24E 3 Bytes [FF, 25, 1E]