GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-27 15:25:34 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000005e Hitachi_ rev.PC4O 465,76GB Running: e9ywp7j7.exe; Driver: C:\Users\JA\AppData\Local\Temp\uglcyaoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff80002fa3000 17 bytes [00, 00, 1E, 02, 4D, 6D, 43, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 546 fffff80002fa3012 27 bytes [B3, 17, A0, F8, FF, FF, 18, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\services.exe[572] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baef8d 1 byte [62] .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\System32\svchost.exe[1012] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000100070460 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000100070450 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000100070370 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000100070470 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 00000001000703e0 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000100070320 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 00000001000703b0 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000100070390 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 00000001000702d0 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000100070310 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 00000001000703c0 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000100070230 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000100070480 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000100070350 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000100070290 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000100070330 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000100070410 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000100070240 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000100070250 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000100070490 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000100070300 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000100070360 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 00000001000702a0 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 00000001000702c0 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000100070380 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000100070340 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000100070440 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000100070260 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000100070270 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000100070400 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000100070210 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000100070200 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000100070420 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000100070430 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\Explorer.EXE[1568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000100070280 .text C:\Windows\Explorer.EXE[1568] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baef8d 1 byte [62] .text C:\Windows\SysWOW64\ezSharedSvcHost.exe[2420] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000750ba2fd 1 byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3056] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075098791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3056] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000750ba2fd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\SearchIndexer.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000100070280 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3884] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\System32\svchost.exe[4108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Users\JA\Downloads\e9ywp7j7.exe[4424] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000750ba2fd 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [4108:4956] 000007feedf59688 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----