GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-12-25 22:21:22 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9320325AS rev.0003SDM1 298,09GB Running: pgqu439j.exe; Driver: C:\Users\Damian\AppData\Local\Temp\awrdrpog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification PAGE C:\Windows\system32\DRIVERS\PCIIDEX.SYS!DllUnload fffff88000e64a50 12 bytes {MOV RAX, 0xfffffa8003b202a0; JMP RAX} PAGE C:\Windows\system32\DRIVERS\ataport.SYS!DllUnload fffff88000fc94a0 12 bytes {MOV RAX, 0xfffffa8003b182a0; JMP RAX} .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88003c7ac34 12 bytes {MOV RAX, 0xfffffa800508c2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 00000001498b0440 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 00000001498b0430 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 00000001498b0450 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 00000001498b03b0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 00000001498b0320 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 00000001498b0380 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 00000001498b02e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 00000001498b0410 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 00000001498b02d0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 00000001498b0310 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 00000001498b0390 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 00000001498b03c0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 00000001498b0230 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 00000001498b0460 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 00000001498b0370 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 00000001498b02f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 00000001498b0350 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 00000001498b0290 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 00000001498b02b0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 00000001498b03a0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 00000001498b0330 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 00000001498b03e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 00000001498b0240 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 00000001498b01e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 00000001498b0250 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 00000001498b0470 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 00000001498b0480 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 00000001498b0300 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 00000001498b0360 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 00000001498b02a0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 00000001498b02c0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 00000001498b0340 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 00000001498b0420 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 00000001498b0260 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 00000001498b0270 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 00000001498b03d0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 00000001498b01f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 00000001498b0210 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 00000001498b0200 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 00000001498b03f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 00000001498b0400 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 00000001498b0220 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 00000001498b0280 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 0000000100070440 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 0000000100070450 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 0000000100070320 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 0000000100070380 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 0000000100070410 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 0000000100070310 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 0000000100070390 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 0000000100070230 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 0000000100070460 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 0000000100070370 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 0000000100070350 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 0000000100070290 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 0000000100070330 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 0000000100070250 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 0000000100070470 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 0000000100070200 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 0000000100070400 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 0000000100070280 .text C:\Windows\system32\services.exe[588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 0000000077e00450 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 0000000077e00310 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 0000000077e00480 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 0000000077e00270 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\lsass.exe[632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\svchost.exe[760] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[880] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[364] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 0000000077e00440 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 0000000077e00430 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 0000000077e00450 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 0000000077e003b0 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 0000000077e00320 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 0000000077e00380 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 0000000077e002e0 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 0000000077e00410 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 0000000077e002d0 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 0000000077e00310 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 0000000077e00390 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 0000000077e003c0 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 0000000077e00230 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 0000000077e00460 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 0000000077e00370 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 0000000077e002f0 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 0000000077e00350 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 0000000077e00290 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 0000000077e002b0 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 0000000077e003a0 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 0000000077e00330 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 0000000077e003e0 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 0000000077e00240 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 0000000077e001e0 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 0000000077e00250 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 0000000077e00470 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 0000000077e00480 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 0000000077e00300 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 0000000077e00360 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 0000000077e002a0 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 0000000077e002c0 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 0000000077e00340 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 0000000077e00420 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 0000000077e00260 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 0000000077e00270 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 0000000077e003d0 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 0000000077e001f0 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 0000000077e00210 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 0000000077e00200 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 0000000077e003f0 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 0000000077e00400 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 0000000077e00220 .text C:\Windows\System32\svchost.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 0000000077e00280 .text C:\Windows\System32\svchost.exe[476] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 0000000077e00450 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 0000000077e00310 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 0000000077e00480 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 0000000077e00270 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\svchost.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\svchost.exe[580] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 0000000077e00450 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 0000000077e00310 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 0000000077e00480 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 0000000077e00270 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 0000000077e00450 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 0000000077e00310 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 0000000077e00480 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 0000000077e00270 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\svchost.exe[1200] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1332] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075deb0c5 1 byte [62] .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 0000000077e00450 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 0000000077e00310 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 0000000077e00480 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 0000000077e00270 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\svchost.exe[1640] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1712] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075deb0c5 1 byte [62] .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 0000000077e00450 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 0000000077e00310 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 0000000077e00480 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 0000000077e00270 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\taskhost.exe[1872] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 0000000077e00440 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 0000000077e00430 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 0000000077e00450 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 0000000077e003b0 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 0000000077e00320 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 0000000077e00380 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 0000000077e002e0 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 0000000077e00410 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 0000000077e002d0 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 0000000077e00310 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 0000000077e00390 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 0000000077e003c0 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 0000000077e00230 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 0000000077e00460 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 0000000077e00370 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 0000000077e002f0 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 0000000077e00350 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 0000000077e00290 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 0000000077e002b0 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 0000000077e003a0 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 0000000077e00330 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 0000000077e003e0 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 0000000077e00240 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 0000000077e001e0 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 0000000077e00250 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 0000000077e00470 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 0000000077e00480 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 0000000077e00300 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 0000000077e00360 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 0000000077e002a0 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 0000000077e002c0 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 0000000077e00340 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 0000000077e00420 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 0000000077e00260 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 0000000077e00270 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 0000000077e003d0 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 0000000077e001f0 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 0000000077e00210 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 0000000077e00200 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 0000000077e003f0 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 0000000077e00400 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 0000000077e00220 .text C:\Windows\Explorer.EXE[1068] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 0000000077e00280 .text C:\Windows\Explorer.EXE[1068] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Program Files (x86)\ASUS\Net4Switch\Net4Switch.exe[1996] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075deb0c5 1 byte [62] .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 0000000077e00440 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 0000000077e00430 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 0000000077e00450 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 0000000077e003b0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 0000000077e00320 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 0000000077e00380 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 0000000077e002e0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 0000000077e00410 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 0000000077e002d0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 0000000077e00310 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 0000000077e00390 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 0000000077e003c0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 0000000077e00230 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 0000000077e00460 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 0000000077e00370 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 0000000077e002f0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 0000000077e00350 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 0000000077e00290 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 0000000077e002b0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 0000000077e003a0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 0000000077e00330 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 0000000077e003e0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 0000000077e00240 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 0000000077e001e0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 0000000077e00250 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 0000000077e00470 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 0000000077e00480 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 0000000077e00300 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 0000000077e00360 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 0000000077e002a0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 0000000077e002c0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 0000000077e00340 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 0000000077e00420 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 0000000077e00260 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 0000000077e00270 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 0000000077e003d0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 0000000077e001f0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 0000000077e00210 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 0000000077e00200 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 0000000077e003f0 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 0000000077e00400 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 0000000077e00220 .text C:\Windows\SysWOW64\ACEngSvr.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 0000000077e00280 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 0000000077e00440 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 0000000077e00430 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 0000000077e00450 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 0000000077e003b0 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 0000000077e00320 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 0000000077e00380 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 0000000077e002e0 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 0000000077e00410 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 0000000077e002d0 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 0000000077e00310 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 0000000077e00390 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 0000000077e003c0 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 0000000077e00230 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 0000000077e00460 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 0000000077e00370 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 0000000077e002f0 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 0000000077e00350 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 0000000077e00290 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 0000000077e002b0 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 0000000077e003a0 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 0000000077e00330 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 0000000077e003e0 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 0000000077e00240 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 0000000077e001e0 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 0000000077e00250 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 0000000077e00470 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 0000000077e00480 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 0000000077e00300 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 0000000077e00360 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 0000000077e002a0 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 0000000077e002c0 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 0000000077e00340 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 0000000077e00420 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 0000000077e00260 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 0000000077e00270 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 0000000077e003d0 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 0000000077e001f0 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 0000000077e00210 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 0000000077e00200 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 0000000077e003f0 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 0000000077e00400 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 0000000077e00220 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 0000000077e00280 .text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2784] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe[3476] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075deb0c5 1 byte [62] .text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[3720] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075deb0c5 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 0000000077e00440 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 0000000077e00430 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 0000000077e00450 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 0000000077e003b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 0000000077e00320 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 0000000077e00380 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 0000000077e002e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 0000000077e00410 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 0000000077e002d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 0000000077e00310 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 0000000077e00390 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 0000000077e003c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 0000000077e00230 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 0000000077e00460 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 0000000077e00370 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 0000000077e002f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 0000000077e00350 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 0000000077e00290 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 0000000077e002b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 0000000077e003a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 0000000077e00330 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 0000000077e003e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 0000000077e00240 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 0000000077e001e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 0000000077e00250 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 0000000077e00470 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 0000000077e00480 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 0000000077e00300 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 0000000077e00360 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 0000000077e002a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 0000000077e002c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 0000000077e00340 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 0000000077e00420 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 0000000077e00260 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 0000000077e00270 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 0000000077e003d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 0000000077e001f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 0000000077e00210 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 0000000077e00200 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 0000000077e003f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 0000000077e00400 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 0000000077e00220 .text C:\Program Files\Windows Sidebar\sidebar.exe[3892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 0000000077e00280 .text C:\Users\Damian\AppData\Local\Akamai\netsession_win.exe[3632] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075deb0c5 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3132] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075deb0c5 1 byte [62] .text C:\Program Files (x86)\OrangeBusinessServices\Manager polaczen\{ad30a369-08e3-414c-9d2c-7f47dbe748da}\BusinessEverywhere.exe[696] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075deb0c5 1 byte [62] .text C:\Program Files (x86)\OrangeBusinessServices\Manager polaczen\{ad30a369-08e3-414c-9d2c-7f47dbe748da}\SMSNotifier.exe[3148] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075deb0c5 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 0000000077e00450 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 0000000077e00310 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 0000000077e00480 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 0000000077e00270 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\SearchIndexer.exe[2340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4268] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[4632] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Windows\system32\sppsvc.exe[4588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 0000000077e00440 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 0000000077e00430 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 0000000077e00450 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 0000000077e003b0 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 0000000077e00320 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 0000000077e00380 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 0000000077e002e0 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 0000000077e00410 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 0000000077e002d0 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 0000000077e00310 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 0000000077e00390 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 0000000077e003c0 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 0000000077e00230 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 0000000077e00460 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 0000000077e00370 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 0000000077e002f0 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 0000000077e00350 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 0000000077e00290 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 0000000077e002b0 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 0000000077e003a0 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 0000000077e00330 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 0000000077e003e0 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 0000000077e00240 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 0000000077e001e0 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 0000000077e00250 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 0000000077e00470 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 0000000077e00480 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 0000000077e00300 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 0000000077e00360 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 0000000077e002a0 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 0000000077e002c0 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 0000000077e00340 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 0000000077e00420 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 0000000077e00260 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 0000000077e00270 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 0000000077e003d0 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 0000000077e001f0 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 0000000077e00210 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 0000000077e00200 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 0000000077e003f0 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 0000000077e00400 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 0000000077e00220 .text C:\Windows\System32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 0000000077e00280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5236] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075deb0c5 1 byte [62] .text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[5288] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 0000000077e00450 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 0000000077e00310 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 0000000077e00480 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 0000000077e00270 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\LogonUI.exe[6956] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c9ff60 5 bytes JMP 0000000077e00440 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c9ffb0 5 bytes JMP 0000000077e00430 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077ca0160 5 bytes JMP 0000000077e00450 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077ca0170 5 bytes JMP 0000000077e003b0 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077ca0220 5 bytes JMP 0000000077e00320 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077ca0250 5 bytes JMP 0000000077e00380 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077ca02b0 5 bytes JMP 0000000077e002e0 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077ca0300 5 bytes JMP 0000000077e00410 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077ca0330 5 bytes JMP 0000000077e002d0 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077ca0350 5 bytes JMP 0000000077e00310 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077ca0390 5 bytes JMP 0000000077e00390 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077ca03e0 5 bytes JMP 0000000077e003c0 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077ca0540 5 bytes JMP 0000000077e00230 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077ca0700 5 bytes JMP 0000000077e00460 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077ca0730 5 bytes JMP 0000000077e00370 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077ca0810 5 bytes JMP 0000000077e002f0 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077ca0820 5 bytes JMP 0000000077e00350 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077ca0880 5 bytes JMP 0000000077e00290 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077ca0910 5 bytes JMP 0000000077e002b0 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077ca0930 5 bytes JMP 0000000077e003a0 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077ca0940 5 bytes JMP 0000000077e00330 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077ca09b0 5 bytes JMP 0000000077e003e0 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077ca09e0 5 bytes JMP 0000000077e00240 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077ca0ca0 5 bytes JMP 0000000077e001e0 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077ca0d60 5 bytes JMP 0000000077e00250 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077ca0d90 5 bytes JMP 0000000077e00470 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077ca0da0 5 bytes JMP 0000000077e00480 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077ca0dd0 5 bytes JMP 0000000077e00300 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077ca0de0 5 bytes JMP 0000000077e00360 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077ca0e40 5 bytes JMP 0000000077e002a0 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077ca0e90 5 bytes JMP 0000000077e002c0 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077ca0ed0 5 bytes JMP 0000000077e00340 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077ca11c0 5 bytes JMP 0000000077e00420 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077ca13c0 5 bytes JMP 0000000077e00260 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077ca13d0 5 bytes JMP 0000000077e00270 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077ca13e0 5 bytes JMP 0000000077e003d0 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077ca15a0 5 bytes JMP 0000000077e001f0 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077ca15b0 5 bytes JMP 0000000077e00210 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077ca1620 5 bytes JMP 0000000077e00200 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077ca1680 5 bytes JMP 0000000077e003f0 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077ca1690 5 bytes JMP 0000000077e00400 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077ca16a0 5 bytes JMP 0000000077e00220 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077ca1780 5 bytes JMP 0000000077e00280 .text C:\Windows\system32\AUDIODG.EXE[6624] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b8f1bd 1 byte [62] .text C:\Users\Damian\Desktop\dla izy\pgqu439j.exe[1060] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075deb0c5 1 byte [62] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800109ef1c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800109ecc0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800109f69c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800109fa98] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800109f8f4] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 fffffa8003b242c0 Device \Driver\atapi \Device\Ide\IdePort0 fffffa8003b242c0 ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification Device \Driver\atapi \Device\Ide\IdePort1 fffffa8003b242c0 ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification Device \Driver\atapi \Device\Ide\IdePort2 fffffa8003b242c0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 fffffa8003b242c0 ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification Device \Driver\atapi \Device\Ide\IdePort3 fffffa8003b242c0 Device \Driver\au6nmzft \Device\Scsi\au6nmzft1 fffffa80051122c0 Device \Driver\JMCR \Device\Scsi\JMCR1 fffffa80050d32c0 Device \Driver\JMCR \Device\Scsi\JMCR2 fffffa80050d32c0 Device \Driver\JMCR \Device\Scsi\JMCR3 fffffa80050d32c0 Device \Driver\au6nmzft \Device\Scsi\au6nmzft1Port8Path0Target0Lun0 fffffa80051122c0 Device \Driver\JMCR \Device\Scsi\JMCR4 fffffa80050d32c0 Device \FileSystem\Ntfs \Ntfs fffffa8003b282c0 Device \Driver\JMCR \Device\ScsiPort7 fffffa80050d32c0 Device \Driver\au6nmzft \Device\ScsiPort8 fffffa80051122c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800508e2c0 Device \Driver\cdrom \Device\CdRom0 fffffa8004e5b2c0 Device \Driver\cdrom \Device\CdRom1 fffffa8004e5b2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{2EE45CF8-6190-4757-AEF5-BC7C5288609A} fffffa8004fe32c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800508e2c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800508e2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{400F59D8-3A3B-4C8B-BB83-BB74A3E9CCD3} fffffa8004fe32c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004fe32c0 Device \Driver\atapi \Device\ScsiPort0 fffffa8003b242c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800508e2c0 Device \Driver\atapi \Device\ScsiPort1 fffffa8003b242c0 Device \Driver\atapi \Device\ScsiPort2 fffffa8003b242c0 Device \Driver\atapi \Device\ScsiPort3 fffffa8003b242c0 Device \Driver\JMCR \Device\ScsiPort4 fffffa80050d32c0 Device \Driver\JMCR \Device\ScsiPort5 fffffa80050d32c0 Device \Driver\JMCR \Device\ScsiPort6 fffffa80050d32c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8003b242c0]<< sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys fffffa8003b242c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004b4e060] fffffa8004b4e060 Trace 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> [0xfffffa8003ad8e40] fffffa8003ad8e40 Trace 5 ACPI.sys[fffff8800100b781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80045ab680] fffffa80045ab680 Trace \Driver\atapi[0xfffffa80045cdae0] -> IRP_MJ_CREATE -> 0xfffffa8003b242c0 fffffa8003b242c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\au6nmzft.SYS fffff88004a32000-fffff88004a7e000 (311296 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\spoolsv.exe [1608:2304] 000007fef99d10c8 Thread C:\Windows\System32\spoolsv.exe [1608:2312] 000007fef9996144 Thread C:\Windows\System32\spoolsv.exe [1608:2316] 000007fef9785fd0 Thread C:\Windows\System32\spoolsv.exe [1608:2320] 000007fef9773438 Thread C:\Windows\System32\spoolsv.exe [1608:2324] 000007fef97863ec Thread C:\Windows\System32\spoolsv.exe [1608:2332] 000007fef9a65e5c Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [6068:6084] 000007fef6a4b328 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [6068:6088] 000007fef6a508e4 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [6068:6112] 000007fef6a508e4 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE1 0xF5 0x99 0x86 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x86 0x07 0xCA 0x7C ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9A 0xE8 0x47 0x4E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE1 0xF5 0x99 0x86 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x86 0x07 0xCA 0x7C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9A 0xE8 0x47 0x4E ... ---- Files - GMER 2.1 ---- File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes ---- EOF - GMER 2.1 ----