GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-12-07 21:45:44 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000005e Hitachi_ rev.FBEO 232,89GB Running: fz4yf5ro.exe; Driver: C:\Users\A\AppData\Local\Temp\fxloauog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002fa6000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff80002fa602f 16 bytes [00, 80, E5, FF, 10, A0, F8, ...] .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88003c3dd8c 12 bytes {MOV RAX, 0xfffffa8004a942a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 00000001499d0440 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 00000001499d0430 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 00000001499d0450 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 00000001499d03b0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 00000001499d0320 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 00000001499d0380 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 00000001499d02e0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 00000001499d0410 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 00000001499d02d0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 00000001499d0310 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 00000001499d0390 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 00000001499d03c0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 00000001499d0230 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 00000001499d0460 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 00000001499d0370 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 00000001499d02f0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 00000001499d0350 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 00000001499d0290 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 00000001499d02b0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 00000001499d03a0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 00000001499d0330 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 00000001499d03e0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 00000001499d0240 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 00000001499d01e0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 00000001499d0250 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 00000001499d0470 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 00000001499d0480 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 00000001499d0300 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 00000001499d0360 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 00000001499d02a0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 00000001499d02c0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 00000001499d0340 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 00000001499d0420 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 00000001499d0260 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 00000001499d0270 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 00000001499d03d0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 00000001499d01f0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 00000001499d0210 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 00000001499d0200 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 00000001499d03f0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 00000001499d0400 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 00000001499d0220 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 00000001499d0280 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000077d20440 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000077d20430 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000077d20450 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 0000000077d203b0 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000077d20320 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000077d20380 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 0000000077d202e0 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000077d20410 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 0000000077d202d0 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000077d20310 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000077d20390 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 0000000077d203c0 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000077d20230 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000077d20460 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000077d20370 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 0000000077d202f0 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000077d20350 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000077d20290 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 0000000077d202b0 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 0000000077d203a0 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000077d20330 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 0000000077d203e0 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000077d20240 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 0000000077d201e0 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000077d20250 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000077d20470 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000077d20480 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000077d20300 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000077d20360 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 0000000077d202a0 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 0000000077d202c0 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000077d20340 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000077d20420 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000077d20260 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000077d20270 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 0000000077d203d0 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 0000000077d201f0 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000077d20210 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000077d20200 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 0000000077d203f0 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000077d20400 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000077d20220 .text C:\Windows\system32\services.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000077d20280 .text C:\Windows\system32\services.exe[484] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077aaeecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000077d20440 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000077d20430 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000077d20450 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 0000000077d203b0 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000077d20320 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000077d20380 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 0000000077d202e0 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000077d20410 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 0000000077d202d0 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000077d20310 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000077d20390 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 0000000077d203c0 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000077d20230 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000077d20460 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000077d20370 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 0000000077d202f0 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000077d20350 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000077d20290 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 0000000077d202b0 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 0000000077d203a0 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000077d20330 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 0000000077d203e0 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000077d20240 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 0000000077d201e0 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000077d20250 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000077d20470 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000077d20480 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000077d20300 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000077d20360 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 0000000077d202a0 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 0000000077d202c0 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000077d20340 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000077d20420 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000077d20260 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000077d20270 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 0000000077d203d0 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 0000000077d201f0 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000077d20210 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000077d20200 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 0000000077d203f0 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000077d20400 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000077d20220 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000077d20280 .text C:\Windows\system32\winlogon.exe[508] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077aaeecd 1 byte [62] .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000077d20440 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000077d20430 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000077d20450 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 0000000077d203b0 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000077d20320 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000077d20380 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 0000000077d202e0 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000077d20410 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 0000000077d202d0 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000077d20310 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000077d20390 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 0000000077d203c0 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000077d20230 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000077d20460 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000077d20370 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 0000000077d202f0 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000077d20350 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000077d20290 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 0000000077d202b0 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 0000000077d203a0 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000077d20330 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 0000000077d203e0 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000077d20240 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 0000000077d201e0 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000077d20250 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000077d20470 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000077d20480 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000077d20300 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000077d20360 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 0000000077d202a0 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 0000000077d202c0 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000077d20340 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000077d20420 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000077d20260 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000077d20270 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 0000000077d203d0 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 0000000077d201f0 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000077d20210 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000077d20200 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 0000000077d203f0 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000077d20400 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000077d20220 .text C:\Windows\system32\lsass.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000077d20280 .text C:\Windows\system32\lsass.exe[536] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077aaeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[636] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077aaeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000077d20440 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000077d20430 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000077d20450 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 0000000077d203b0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000077d20320 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000077d20380 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 0000000077d202e0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000077d20410 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 0000000077d202d0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000077d20310 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000077d20390 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 0000000077d203c0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000077d20230 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000077d20460 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000077d20370 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 0000000077d202f0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000077d20350 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000077d20290 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 0000000077d202b0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 0000000077d203a0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000077d20330 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 0000000077d203e0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000077d20240 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 0000000077d201e0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000077d20250 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000077d20470 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000077d20480 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000077d20300 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000077d20360 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 0000000077d202a0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 0000000077d202c0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000077d20340 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000077d20420 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000077d20260 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000077d20270 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 0000000077d203d0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 0000000077d201f0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000077d20210 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000077d20200 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 0000000077d203f0 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000077d20400 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000077d20220 .text C:\Windows\system32\svchost.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000077d20280 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000077d20440 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000077d20430 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000077d20450 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 0000000077d203b0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000077d20320 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000077d20380 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 0000000077d202e0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000077d20410 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 0000000077d202d0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000077d20310 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000077d20390 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 0000000077d203c0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000077d20230 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000077d20460 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000077d20370 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 0000000077d202f0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000077d20350 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000077d20290 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 0000000077d202b0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 0000000077d203a0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000077d20330 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 0000000077d203e0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000077d20240 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 0000000077d201e0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000077d20250 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000077d20470 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000077d20480 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000077d20300 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000077d20360 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 0000000077d202a0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 0000000077d202c0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000077d20340 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000077d20420 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000077d20260 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000077d20270 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 0000000077d203d0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 0000000077d201f0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000077d20210 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000077d20200 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 0000000077d203f0 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000077d20400 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000077d20220 .text C:\Windows\System32\svchost.exe[856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000077d20280 .text C:\Windows\System32\svchost.exe[856] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077aaeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000077d20440 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000077d20430 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000077d20450 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 0000000077d203b0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000077d20320 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000077d20380 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 0000000077d202e0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000077d20410 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 0000000077d202d0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000077d20310 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000077d20390 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 0000000077d203c0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000077d20230 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000077d20460 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000077d20370 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 0000000077d202f0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000077d20350 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000077d20290 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 0000000077d202b0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 0000000077d203a0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000077d20330 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 0000000077d203e0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000077d20240 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 0000000077d201e0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000077d20250 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000077d20470 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000077d20480 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000077d20300 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000077d20360 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 0000000077d202a0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 0000000077d202c0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000077d20340 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000077d20420 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000077d20260 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000077d20270 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 0000000077d203d0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 0000000077d201f0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000077d20210 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000077d20200 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 0000000077d203f0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000077d20400 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000077d20220 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000077d20280 .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077aaeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000077d20440 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000077d20430 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000077d20450 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 0000000077d203b0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000077d20320 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000077d20380 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 0000000077d202e0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000077d20410 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 0000000077d202d0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000077d20310 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000077d20390 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 0000000077d203c0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000077d20230 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000077d20460 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000077d20370 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 0000000077d202f0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000077d20350 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000077d20290 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 0000000077d202b0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 0000000077d203a0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000077d20330 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 0000000077d203e0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000077d20240 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 0000000077d201e0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000077d20250 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000077d20470 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000077d20480 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000077d20300 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000077d20360 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 0000000077d202a0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 0000000077d202c0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000077d20340 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000077d20420 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000077d20260 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000077d20270 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 0000000077d203d0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 0000000077d201f0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000077d20210 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000077d20200 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 0000000077d203f0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000077d20400 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000077d20220 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000077d20280 .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077aaeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000077d20440 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000077d20430 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000077d20450 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 0000000077d203b0 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000077d20320 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000077d20380 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 0000000077d202e0 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000077d20410 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 0000000077d202d0 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000077d20310 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000077d20390 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 0000000077d203c0 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000077d20230 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000077d20460 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000077d20370 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 0000000077d202f0 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000077d20350 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000077d20290 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 0000000077d202b0 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 0000000077d203a0 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000077d20330 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 0000000077d203e0 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000077d20240 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 0000000077d201e0 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000077d20250 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000077d20470 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000077d20480 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000077d20300 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000077d20360 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 0000000077d202a0 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 0000000077d202c0 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000077d20340 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000077d20420 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000077d20260 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000077d20270 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 0000000077d203d0 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 0000000077d201f0 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000077d20210 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000077d20200 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 0000000077d203f0 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000077d20400 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000077d20220 .text C:\Windows\system32\svchost.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000077d20280 .text C:\Windows\system32\svchost.exe[600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077aaeecd 1 byte [62] .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000077d20440 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000077d20430 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000077d20450 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 0000000077d203b0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000077d20320 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000077d20380 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 0000000077d202e0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000077d20410 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 0000000077d202d0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000077d20310 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000077d20390 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 0000000077d203c0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000077d20230 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000077d20460 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000077d20370 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 0000000077d202f0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000077d20350 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000077d20290 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 0000000077d202b0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 0000000077d203a0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000077d20330 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 0000000077d203e0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000077d20240 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 0000000077d201e0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000077d20250 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000077d20470 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000077d20480 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000077d20300 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000077d20360 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 0000000077d202a0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 0000000077d202c0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000077d20340 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000077d20420 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000077d20260 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000077d20270 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 0000000077d203d0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 0000000077d201f0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000077d20210 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000077d20200 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 0000000077d203f0 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000077d20400 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000077d20220 .text C:\Windows\Explorer.EXE[1380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000077d20280 .text C:\Windows\Explorer.EXE[1380] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077aaeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000077d20440 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000077d20430 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000077d20450 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 0000000077d203b0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000077d20320 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000077d20380 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 0000000077d202e0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000077d20410 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 0000000077d202d0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000077d20310 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000077d20390 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 0000000077d203c0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000077d20230 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000077d20460 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000077d20370 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 0000000077d202f0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000077d20350 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000077d20290 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 0000000077d202b0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 0000000077d203a0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000077d20330 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 0000000077d203e0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000077d20240 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 0000000077d201e0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000077d20250 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000077d20470 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000077d20480 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000077d20300 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000077d20360 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 0000000077d202a0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 0000000077d202c0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000077d20340 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000077d20420 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000077d20260 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000077d20270 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 0000000077d203d0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 0000000077d201f0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000077d20210 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000077d20200 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 0000000077d203f0 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000077d20400 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000077d20220 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000077d20280 .text C:\Windows\system32\svchost.exe[1764] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077aaeecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000077d20440 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000077d20430 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000077d20450 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 0000000077d203b0 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000077d20320 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000077d20380 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 0000000077d202e0 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000077d20410 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 0000000077d202d0 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000077d20310 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000077d20390 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 0000000077d203c0 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000077d20230 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000077d20460 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000077d20370 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 0000000077d202f0 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000077d20350 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000077d20290 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 0000000077d202b0 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 0000000077d203a0 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000077d20330 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 0000000077d203e0 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000077d20240 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 0000000077d201e0 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000077d20250 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000077d20470 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000077d20480 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000077d20300 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000077d20360 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 0000000077d202a0 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 0000000077d202c0 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000077d20340 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000077d20420 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000077d20260 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000077d20270 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 0000000077d203d0 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 0000000077d201f0 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000077d20210 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000077d20200 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 0000000077d203f0 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000077d20400 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000077d20220 .text C:\Windows\system32\taskeng.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000077d20280 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2044] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000777da2ba 1 byte [62] .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000077d20440 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000077d20430 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000077d20450 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 0000000077d203b0 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000077d20320 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000077d20380 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 0000000077d202e0 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000077d20410 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 0000000077d202d0 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000077d20310 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000077d20390 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 0000000077d203c0 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000077d20230 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000077d20460 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000077d20370 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 0000000077d202f0 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000077d20350 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000077d20290 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 0000000077d202b0 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 0000000077d203a0 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000077d20330 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 0000000077d203e0 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000077d20240 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 0000000077d201e0 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000077d20250 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000077d20470 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000077d20480 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000077d20300 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000077d20360 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 0000000077d202a0 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 0000000077d202c0 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000077d20340 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000077d20420 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000077d20260 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000077d20270 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 0000000077d203d0 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 0000000077d201f0 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000077d20210 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000077d20200 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 0000000077d203f0 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000077d20400 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000077d20220 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000077d20280 .text C:\Program Files (x86)\ASUS\Asus WebStorage\BackupService.exe[2916] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077aaeecd 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[632] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d6fac0 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[632] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d6fb58 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[632] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d6fcb0 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[632] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d70038 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[632] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d8c4dd 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe[632] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d91287 5 bytes JMP 00000001002403fc .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[720] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000777da2ba 1 byte [62] .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[668] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d6fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[668] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d6fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[668] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d6fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[668] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d70038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[668] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d8c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[668] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d91287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[668] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000777da2ba 1 byte [62] .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[668] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000764fee09 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[668] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076503982 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[668] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076507603 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[668] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007650835c 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[668] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007651f52b 5 bytes JMP 00000001000a0a08 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b93b10 5 bytes JMP 000000010026075c .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b97ac0 5 bytes JMP 00000001002603a4 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000077d20440 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000077d20430 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077bc1430 5 bytes JMP 0000000100260b14 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077bc1490 5 bytes JMP 0000000100260ecc .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000077d20450 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 000000010026163c .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000077d20320 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000077d20380 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 0000000077d202e0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000077d20410 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 0000000077d202d0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000077d20310 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000077d20390 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077bc17b0 5 bytes JMP 0000000100261284 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 0000000077d203c0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000077d20230 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000077d20460 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000077d20370 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 0000000077d202f0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000077d20350 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000077d20290 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 0000000077d202b0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 0000000077d203a0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000077d20330 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 0000000077d203e0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000077d20240 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 0000000077d201e0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000077d20250 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000077d20470 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000077d20480 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000077d20300 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000077d20360 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 0000000077d202a0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 0000000077d202c0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000077d20340 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000077d20420 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000077d20260 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000077d20270 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 0000000077d203d0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 0000000077d201f0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000077d20210 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000077d20200 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 0000000077d203f0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000077d20400 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000077d20220 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000077d20280 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff766e00 5 bytes JMP 000007ff7f781dac .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff766f2c 5 bytes JMP 000007ff7f780ecc .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff767220 5 bytes JMP 000007ff7f781284 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff76739c 5 bytes JMP 000007ff7f78163c .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff767538 5 bytes JMP 000007ff7f7819f4 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7675e8 5 bytes JMP 000007ff7f7803a4 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff76790c 5 bytes JMP 000007ff7f78075c .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff767ab4 5 bytes JMP 000007ff7f780b14 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b93b10 5 bytes JMP 00000001003d075c .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b97ac0 5 bytes JMP 00000001003d03a4 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000077d20440 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000077d20430 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077bc1430 5 bytes JMP 00000001003d0b14 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077bc1490 5 bytes JMP 00000001003d0ecc .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000077d20450 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 00000001003d163c .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000077d20320 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000077d20380 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 0000000077d202e0 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000077d20410 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 0000000077d202d0 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000077d20310 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000077d20390 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077bc17b0 5 bytes JMP 00000001003d1284 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 0000000077d203c0 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000077d20230 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000077d20460 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000077d20370 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 0000000077d202f0 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000077d20350 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000077d20290 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 0000000077d202b0 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 0000000077d203a0 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000077d20330 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 0000000077d203e0 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000077d20240 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 0000000077d201e0 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000077d20250 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000077d20470 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000077d20480 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000077d20300 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000077d20360 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 0000000077d202a0 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 0000000077d202c0 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000077d20340 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000077d20420 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000077d20260 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000077d20270 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 0000000077d203d0 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 0000000077d201f0 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000077d20210 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000077d20200 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 0000000077d203f0 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000077d20400 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000077d20220 .text C:\Windows\SysWOW64\ACEngSvr.exe[1204] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000077d20280 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b93b10 5 bytes JMP 00000001001c075c .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b97ac0 5 bytes JMP 00000001001c03a4 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000077d20440 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000077d20430 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077bc1430 5 bytes JMP 00000001001c0b14 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077bc1490 5 bytes JMP 00000001001c0ecc .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000077d20450 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 00000001001c163c .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000077d20320 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000077d20380 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 0000000077d202e0 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000077d20410 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 0000000077d202d0 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000077d20310 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000077d20390 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077bc17b0 5 bytes JMP 00000001001c1284 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 0000000077d203c0 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000077d20230 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000077d20460 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000077d20370 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 0000000077d202f0 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000077d20350 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000077d20290 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 0000000077d202b0 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 0000000077d203a0 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000077d20330 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 0000000077d203e0 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000077d20240 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 0000000077d201e0 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000077d20250 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000077d20470 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000077d20480 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000077d20300 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000077d20360 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 0000000077d202a0 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 0000000077d202c0 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000077d20340 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000077d20420 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000077d20260 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000077d20270 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 0000000077d203d0 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 0000000077d201f0 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000077d20210 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000077d20200 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 0000000077d203f0 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000077d20400 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000077d20220 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000077d20280 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077aaeecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff766e00 5 bytes JMP 000007ff7f781dac .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff766f2c 5 bytes JMP 000007ff7f780ecc .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff767220 5 bytes JMP 000007ff7f781284 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff76739c 5 bytes JMP 000007ff7f78163c .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff767538 5 bytes JMP 000007ff7f7819f4 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff7675e8 5 bytes JMP 000007ff7f7803a4 .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff76790c 5 bytes JMP 000007ff7f78075c .text C:\Windows\system32\SearchIndexer.exe[1800] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff767ab4 5 bytes JMP 000007ff7f780b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b93b10 5 bytes JMP 00000001001f075c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b97ac0 5 bytes JMP 00000001001f03a4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077bc1360 5 bytes JMP 0000000077d20440 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077bc13b0 5 bytes JMP 0000000077d20430 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077bc1430 5 bytes JMP 00000001001f0b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077bc1490 5 bytes JMP 00000001001f0ecc .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077bc1560 5 bytes JMP 0000000077d20450 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077bc1570 5 bytes JMP 00000001001f163c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077bc1620 5 bytes JMP 0000000077d20320 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077bc1650 5 bytes JMP 0000000077d20380 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077bc16b0 5 bytes JMP 0000000077d202e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077bc1700 5 bytes JMP 0000000077d20410 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077bc1730 5 bytes JMP 0000000077d202d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077bc1750 5 bytes JMP 0000000077d20310 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077bc1790 5 bytes JMP 0000000077d20390 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077bc17b0 5 bytes JMP 00000001001f1284 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077bc17e0 5 bytes JMP 0000000077d203c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077bc1940 5 bytes JMP 0000000077d20230 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bc1b00 5 bytes JMP 0000000077d20460 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077bc1b30 5 bytes JMP 0000000077d20370 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077bc1c10 5 bytes JMP 0000000077d202f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077bc1c20 5 bytes JMP 0000000077d20350 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077bc1c80 5 bytes JMP 0000000077d20290 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077bc1d10 5 bytes JMP 0000000077d202b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077bc1d30 5 bytes JMP 0000000077d203a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077bc1d40 5 bytes JMP 0000000077d20330 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077bc1db0 5 bytes JMP 0000000077d203e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077bc1de0 5 bytes JMP 0000000077d20240 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077bc20a0 5 bytes JMP 0000000077d201e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077bc2160 5 bytes JMP 0000000077d20250 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077bc2190 5 bytes JMP 0000000077d20470 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077bc21a0 5 bytes JMP 0000000077d20480 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077bc21d0 5 bytes JMP 0000000077d20300 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077bc21e0 5 bytes JMP 0000000077d20360 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077bc2240 5 bytes JMP 0000000077d202a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077bc2290 5 bytes JMP 0000000077d202c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077bc22d0 5 bytes JMP 0000000077d20340 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077bc25c0 5 bytes JMP 0000000077d20420 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077bc27c0 5 bytes JMP 0000000077d20260 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077bc27d0 5 bytes JMP 0000000077d20270 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077bc27e0 5 bytes JMP 0000000077d203d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077bc29a0 5 bytes JMP 0000000077d201f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077bc29b0 5 bytes JMP 0000000077d20210 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077bc2a20 5 bytes JMP 0000000077d20200 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077bc2a80 5 bytes JMP 0000000077d203f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077bc2a90 5 bytes JMP 0000000077d20400 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077bc2aa0 5 bytes JMP 0000000077d20220 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077bc2b80 5 bytes JMP 0000000077d20280 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3516] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000077aaeecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d6fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d6fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d6fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3284] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d70038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3284] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d8c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3284] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d91287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[3284] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000777da2ba 1 byte [62] .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d6fac0 5 bytes JMP 0000000100030600 .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d6fb58 5 bytes JMP 0000000100030804 .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d6fcb0 5 bytes JMP 0000000100030c0c .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d70038 5 bytes JMP 0000000100030a08 .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d8c4dd 5 bytes JMP 00000001000301f8 .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d91287 5 bytes JMP 00000001000303fc .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000777da2ba 1 byte [62] .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\syswow64\user32.DLL!SetWinEventHook 00000000764fee09 5 bytes JMP 00000001002501f8 .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\syswow64\user32.DLL!UnhookWinEvent 0000000076503982 5 bytes JMP 00000001002503fc .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000076507603 5 bytes JMP 0000000100250804 .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 000000007650835c 5 bytes JMP 0000000100250600 .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx 000000007651f52b 5 bytes JMP 0000000100250a08 .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077935181 5 bytes JMP 0000000100261014 .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077935254 5 bytes JMP 0000000100260804 .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000779353d5 5 bytes JMP 0000000100260a08 .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000779354c2 5 bytes JMP 0000000100260c0c .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000779355e2 5 bytes JMP 0000000100260e10 .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007793567c 5 bytes JMP 00000001002601f8 .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007793589f 5 bytes JMP 00000001002603fc .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077935a22 5 bytes JMP 0000000100260600 .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000002671465 2 bytes [67, 02] .text C:\Users\A\Desktop\OTL.exe[1428] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000026714bb 2 bytes [67, 02] .text ... * 2 .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d6fac0 5 bytes JMP 0000000100030600 .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d6fb58 5 bytes JMP 0000000100030804 .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d6fcb0 5 bytes JMP 0000000100030c0c .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d70038 5 bytes JMP 0000000100030a08 .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d8c4dd 5 bytes JMP 00000001000301f8 .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d91287 5 bytes JMP 00000001000303fc .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000777da2ba 1 byte [62] .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077935181 5 bytes JMP 0000000100241014 .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077935254 5 bytes JMP 0000000100240804 .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000779353d5 5 bytes JMP 0000000100240a08 .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000779354c2 5 bytes JMP 0000000100240c0c .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000779355e2 5 bytes JMP 0000000100240e10 .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007793567c 5 bytes JMP 00000001002401f8 .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007793589f 5 bytes JMP 00000001002403fc .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077935a22 5 bytes JMP 0000000100240600 .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000764fee09 5 bytes JMP 00000001002501f8 .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076503982 5 bytes JMP 00000001002503fc .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076507603 5 bytes JMP 0000000100250804 .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007650835c 5 bytes JMP 0000000100250600 .text C:\Users\A\Desktop\fz4yf5ro.exe[2148] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007651f52b 5 bytes JMP 0000000100250a08 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff88001034f1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001034cc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800103569c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001035a98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010358f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80039ae2c0 Device \FileSystem\fastfat \Fat fffffa8008df12c0 Device \Driver\usbohci \Device\USBPDO-5 fffffa8004a962c0 Device \Driver\usbohci \Device\USBFDO-3 fffffa8004a962c0 Device \Driver\usbohci \Device\USBPDO-1 fffffa8004a962c0 Device \Driver\amdsata \Device\RaidPort0 fffffa80039aa2c0 Device \Driver\cdrom \Device\CdRom0 fffffa800493d2c0 Device \Driver\amdsata \Device\0000005f fffffa80039aa2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{A19D6B05-F471-4837-A422-AB1F066C0C44} fffffa80049ba2c0 Device \Driver\usbehci \Device\USBFDO-4 fffffa8004aae2c0 Device \Driver\usbehci \Device\USBPDO-2 fffffa8004aae2c0 Device \Driver\usbohci \Device\USBFDO-0 fffffa8004a962c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa8004b1f2c0 Device \Driver\usbohci \Device\USBFDO-5 fffffa8004a962c0 Device \Driver\usbohci \Device\USBPDO-3 fffffa8004a962c0 Device \Driver\usbohci \Device\USBFDO-1 fffffa8004a962c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80049ba2c0 Device \Driver\amdsata \Device\ScsiPort0 fffffa80039aa2c0 Device \Driver\usbehci \Device\USBPDO-4 fffffa8004aae2c0 Device \Driver\usbehci \Device\USBFDO-2 fffffa8004aae2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1E901369-7162-4794-88C6-91E4265A8EA8} fffffa80049ba2c0 Device \Driver\usbohci \Device\USBPDO-0 fffffa8004a962c0 Device \Driver\amdsata \Device\0000005e fffffa80039aa2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80039ac2c0]<< sptd.sys amdxata.sys storport.sys hal.dll amdsata.sys fffffa80039ac2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004882060] fffffa8004882060 Trace 3 CLASSPNP.SYS[fffff88001b1f43f] -> nt!IofCallDriver -> [0xfffffa8004872040] fffffa8004872040 Trace \Driver\amdxata[0xfffffa8004778c30] -> IRP_MJ_CREATE -> 0xfffffa80039ac2c0 fffffa80039ac2c0 Trace 5 amdxata.sys[fffff88000e6d917] -> nt!IofCallDriver -> \Device\0000005e[0xfffffa800486e060] fffffa800486e060 Trace \Driver\amdsata[0xfffffa8004777770] -> IRP_MJ_CREATE -> 0xfffffa80039aa2c0 fffffa80039aa2c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\spoolsv.exe [1576:3356] 000007feef8410c8 Thread C:\Windows\System32\spoolsv.exe [1576:3484] 000007feef7f6144 Thread C:\Windows\System32\spoolsv.exe [1576:3504] 000007feefbb5fd0 Thread C:\Windows\System32\spoolsv.exe [1576:3568] 000007feef6b3438 Thread C:\Windows\System32\spoolsv.exe [1576:3580] 000007feefbb63ec Thread C:\Windows\System32\spoolsv.exe [1576:3700] 000007fef05b5e5c Thread C:\Windows\System32\spoolsv.exe [1576:3704] 000007fef0045074 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 G:\niepotrzebne programy\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x60 0x67 0x34 0x9C ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6B 0x4D 0x2E 0x85 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x29 0x09 0x6F 0x73 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 G:\niepotrzebne programy\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x60 0x67 0x34 0x9C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x6B 0x4D 0x2E 0x85 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x29 0x09 0x6F 0x73 ... ---- Files - GMER 2.1 ---- File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes ---- EOF - GMER 2.1 ----