Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor.tidserv!inf problem


  • This topic is locked This topic is locked
25 replies to this topic

#1 Liamsdarlin

Liamsdarlin

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 15 December 2009 - 11:53 PM

Hey -

So, Thursday my Symantec auto-protect came up saying I had a trojan and a backdoor.tidserv. I don't actually remember it being the same night, but I checked the history and they both say it was 12/10. Anyway, they were quarantined and I then deleted them. After that I ran a quick scan with Malwarebytes and it also found adware.MyWebSearch. Quarantined and successfully deleted all of that. So, I (wrongly) assumed that I cleaned it all up. Starting on Sunday afternoon, whenever anybody (I share a PC with my dad and brother) leaves the PC running, but not doing anything and a little while after the screen saver comes up, the auto-protect comes up again saying we've got a backdoor.tidserv!inf. And it'll keep coming up every so many minutes until you come back and start doing things on the PC again. As long as you are active on the PC it doesn't seem to show up. I didn't get a chance to do much on Sunday about it, but my PC did freeze at one point. And yesterday I basically ran a full Symantec scan and was waiting for a friend to be able to help. He's not sure what to do, so he sent me here.

When I ran the full Symantec scan a few more files came up. They all say backdoor.tidserv!inf, but the file names are:

atapi.sys
A0051955.sys
A0052905.sys
A0052910.sys
A0052889.sys
A0051961.sys

And when auto-protect comes up only atapi.sys and A0051955.sys show up. But all the files say "clean security risk failed. quarantine failed." Oh, also if it helps the files I did successfully delete on the 10th were:

txt/a/soundbl.class
091124213047359.rsc

Other than that I'm not really sure what the problem is. My PC is running slow, but I assumed that was because I'm long overdue for a major cleaning and getting rid of junk files, etc. Right now my main concern is the backdoor.tidserv!inf and what to do about that. I don't seem to have too much trouble other than the auto-protect coming up pretty much whenever the PC is idle long enough for the screen savers to come up. I hope I explained everything clearly.

Oh, one more thing, when I tried running RootRepeal it gave me an error "Error - invalid PE image found!" I clicked ok and it still let me run the scan, but I didn't get any options to choose from. Like drivers, files, processes, etc. or which system drive to scan. Not sure if that matters, but I'll attach the log I have.

Thank you to anyone who takes the time to help me. :(



DDS (Ver_09-12-01.01) - NTFSx86
Run by Keri at 22:01:19.08 on Tue 12/15/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.90 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\lexpps.exe
C:\Documents and Settings\Keri\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM7\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Keri\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uWindow Title = Internet Explorer Provided by Cox High Speed Internet
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [SansaDispatch] c:\documents and settings\keri\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: &Search
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: { - c:\program files\platinumplay\casinogame.exe
IE: {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5}
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=48835
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} - hxxp://www.riverbelle.com/download_helper/Nyoko.cab
DPF: {46C66BBD-E667-4DAD-9682-58050E7C9FDC} - hxxp://www.cdpass.com/cdkey/CDPass.cab
DPF: {4FA3D392-9349-4D85-8FB9-18733534CFE3} - hxxp://www.spybouncer.com/downloader/setup.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134271249015
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} - hxxp://cdn.digitalcity.com/video/kdx.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://riverbelle.microgaming.com/freeplay/FlashAX.cab
DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 200.124.131.116 casinocontroller.com
Hosts: 200.124.131.116 casinocontroller.com
Hosts: 200.124.131.116 casinocontroller.com
Hosts: 200.124.131.116 casinocontroller.com
Hosts: 200.124.131.116 casinocontroller.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\keri\applic~1\mozilla\firefox\profiles\lgsnsytu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - plugin: c:\documents and settings\keri\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCE08D86A-A41A-410A-943C-13BABB7DC474", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9EDC9ED-603A-4F3F-BBEA-59C8853A3236", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID90D10942-D952-4863-9DD6-A2BDBBAD456E", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0ECEE744-7B69-4912-AB91-AE76D61ECB04", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF25635B2-1AB9-47B5-88D1-8877B22C86DE", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID27B7F812-4159-45B9-A389-B7A118A58DE4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF849DF29-393B-4F8B-99D1-117A70D66FC7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBF1E9C3D-637C-4171-BD12-28A7360B879A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDDE1C0601-7947-4D7F-A6E5-E68BF6BA1E37", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EA0DCCE-4D98-4876-9C6A-E5C563D0820A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID446462BA-2AAD-4C88-BC63-5210E2F31465", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0862E368-A40E-4E55-83EB-FBC5571BABA4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDD2A96E3C-FFB3-4D38-9AC3-B127527BEA35", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4B05B39A-9DDC-4650-A7F8-D5B134E5FFE5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC8E2574A-7BCE-4B93-A22E-61831DFD6DB8", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID659796C0-8B5D-48D7-A4EB-7E6874E26274", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID78071AB5-E729-414E-8D02-9C1D034F82E7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCC3F71E1-17F3-4C5B-997D-44CA56943197", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE67D5C78-B2D4-4BA0-8D69-1C7AF4BB08B5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFC5F3D7A-D321-412C-8A5D-9AD0C8041941", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6EC5CD16-81BC-4515-9EDD-9265C906F56E", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID67CFB2C5-E491-4395-977B-CD45E4124655", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID73600569-52E6-4760-8BAB-B68202937D98", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB02EBD42-6885-401A-9389-E089F7DDC872", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBAE5CB8C-4075-4743-B2E4-78DA8D8CDC64", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID28B07B04-DA99-4FD3-BF27-4972F2B8142B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D53448F-D12B-4102-8CE2-697DAE8D6643", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE3266A47-A141-47B8-AAA8-5F16FB4F8CCD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB33AB7AF-76D7-4B1C-B709-5D6BF9E7B1C7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID153B7451-0BB5-4B37-95C0-44D89E2F1F2B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID3BBE8E21-0D3D-4BAA-AC6F-C7BCEF750849", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9B5B4F2D-A7D9-4329-B0FE-92B301A8CAAD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA5C42921-8CD0-4924-97C3-01B5B0610BC6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID06969252-F90F-4CF2-9074-33772EB64859", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFBF37655-1236-4C0D-96C5-F94E1724841B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC1A3F035-B68F-4B2B-9FD5-E36DAAAF26DD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID368F3685-543E-4812-9FDE-96E097E453FC", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID43969873-56AA-4113-84CB-4AB2AEB9AA31", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA205DD80-63D4-4E41-B785-26EC3D90B97B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID068D43E7-7551-4A2F-AE96-4A38A9AD1953", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF443E9CB-9EEC-456E-8AE7-F3102D5CD47D", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE36A7B16-645D-4261-BFF8-3A7E69C5F7A5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID379805E3-E0E2-40DC-B51B-6DC1AE5802AA", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF6240D69-A06D-44A1-8003-8496CCEF2C53", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID26C3113D-5A71-4F1B-A2CB-BE59E1279DDA", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID92B97F2B-7565-4CE9-9AC7-0598DFD731F8", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID2AA5E7CF-9696-42F0-B76A-8655296EADF2", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0AAACE0B-ACEF-4781-83F4-BFB52EEC995A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D56FF58-A39D-4E8C-A40B-2E3711251772", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID946121C2-11F1-49DD-A7E3-CF793DE827A4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB853303D-1BAB-43F3-9D7D-101D0DA8E7A5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9E578247-FE29-4F8C-8202-A24A5688CF2A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6D065A8F-FFC0-4A0F-B863-1D724B8C786B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4451D291-6940-42CE-9D3C-CA1D4C96549C", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID064B722D-079D-4EBB-B3CF-9FCBF64FFF5D", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID38F8AB0F-5DFB-43D9-889E-8717CC4AB59B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EC68CD1-0EF1-4CB9-9EF1-3D64AB266149", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID44F96B27-CFAD-41E1-83A1-6B28040C3BDE", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-20 64288]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-12-21 186016]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-12-21 177824]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-12-21 1756912]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2008-9-28 33792]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091211.002\naveng.sys [2009-12-11 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091211.002\navex15.sys [2009-12-11 1323568]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-12-21 83616]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys --> c:\windows\system32\drivers\npf.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PCD5SRVC;PCD5SRVC - PCDR Kernel Mode Service Helper Driver;\??\c:\progra~1\pc-doc~1\pcd5srvc.pkms --> c:\progra~1\pc-doc~1\PCD5SRVC.pkms [?]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-1-23 13952]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-23 28800]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-12-21 169200]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2009-12-16 02:55:25 0 d-----w- c:\program files\Cobian Backup 9
2009-12-09 08:07:29 443 ----a-w- c:\windows\system32\MRT.INI
2009-12-08 02:07:11 0 d-----w- c:\program files\iPod
2009-12-08 02:06:34 0 d-----w- c:\program files\iTunes
2009-12-03 06:09:09 14608 ----a-w- c:\windows\system32\iviaspi.sys
2009-12-03 06:08:30 0 d-----w- c:\program files\SanDisk
2009-12-01 22:53:17 0 d-----w- c:\docume~1\keri\applic~1\com.divita.nihongoup.0847A6F69C43294B0233ECB55F0AA0E8236D3CEB.1
2009-12-01 22:48:18 0 d-----w- c:\program files\divita
2009-12-01 04:08:47 0 d-----w- c:\docume~1\keri\applic~1\cYo
2009-12-01 04:00:25 0 d-----w- c:\program files\ComicRack
2009-11-29 05:39:05 0 d-----w- c:\program files\Boilsoft Video Splitter
2009-11-24 17:44:55 0 d-----w- c:\program files\Silver Oak Casino
2009-11-23 15:01:39 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-23 14:58:06 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-23 01:39:06 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM
2009-11-23 01:36:01 0 d-----w- c:\program files\AIM7
2009-11-23 01:32:58 0 d-----w- c:\program files\common files\Software Update Utility

==================== Find3M ====================

2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 14:40:47 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-23 21:35:01 61000 -c--a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2007-01-22 14:35:48 774144 -c--a-w- c:\program files\RngInterstitial.dll
2006-02-13 02:01:46 423 -c--a-w- c:\program files\.lot
2006-02-13 02:00:38 280000 -c--a-w- c:\program files\allbox4.rpt
2006-02-13 01:59:52 180 -c--a-w- c:\program files\lotto.tmp
2008-09-05 22:40:22 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 22:03:52.61 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:38 AM

Posted 28 December 2009 - 02:16 PM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log
Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 Liamsdarlin

Liamsdarlin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 02 January 2010 - 04:03 AM

Hey and thank you for replying :(

Sorry I didn't reply sooner, I was out of town and didn't get a chance to check my email or anything until tonight. Anyway, everything is pretty much still the same as in my first post. The only thing I've done since that post was run the system file checker. I think that fixed the problem with the atapi.sys file because that no longer comes up in the auto-protect. Now only A0051955.sys comes up in auto-protect, and still only after the pc has been idle for a bit. Other than that, the pc is still quite slow when starting up and when I try to open programs. Browsers especially seem to take a while to open. Not sure if that has anything to do with the backdoor.tidserve problem. And sometimes the virtual memory minimum is too low will come up even when I'm not running anything at all.

I ran the scans you asked me to and here are the logs. Thanks again for the reply!





DDS (Ver_09-12-01.01) - NTFSx86
Run by Keri at 21:22:50.96 on Fri 01/01/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.197 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Keri\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM7\aim.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Keri\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uWindow Title = Internet Explorer Provided by Cox High Speed Internet
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [SansaDispatch] c:\documents and settings\keri\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: &Search
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: { - c:\program files\platinumplay\casinogame.exe
IE: {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5}
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=48835
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} - hxxp://www.riverbelle.com/download_helper/Nyoko.cab
DPF: {46C66BBD-E667-4DAD-9682-58050E7C9FDC} - hxxp://www.cdpass.com/cdkey/CDPass.cab
DPF: {4FA3D392-9349-4D85-8FB9-18733534CFE3} - hxxp://www.spybouncer.com/downloader/setup.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134271249015
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} - hxxp://cdn.digitalcity.com/video/kdx.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://riverbelle.microgaming.com/freeplay/FlashAX.cab
DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 200.124.131.116 casinocontroller.com
Hosts: 200.124.131.116 casinocontroller.com
Hosts: 200.124.131.116 casinocontroller.com
Hosts: 200.124.131.116 casinocontroller.com
Hosts: 200.124.131.116 casinocontroller.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\keri\applic~1\mozilla\firefox\profiles\lgsnsytu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - plugin: c:\documents and settings\keri\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCE08D86A-A41A-410A-943C-13BABB7DC474", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9EDC9ED-603A-4F3F-BBEA-59C8853A3236", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID90D10942-D952-4863-9DD6-A2BDBBAD456E", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0ECEE744-7B69-4912-AB91-AE76D61ECB04", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF25635B2-1AB9-47B5-88D1-8877B22C86DE", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID27B7F812-4159-45B9-A389-B7A118A58DE4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF849DF29-393B-4F8B-99D1-117A70D66FC7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBF1E9C3D-637C-4171-BD12-28A7360B879A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDDE1C0601-7947-4D7F-A6E5-E68BF6BA1E37", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EA0DCCE-4D98-4876-9C6A-E5C563D0820A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID446462BA-2AAD-4C88-BC63-5210E2F31465", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0862E368-A40E-4E55-83EB-FBC5571BABA4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDD2A96E3C-FFB3-4D38-9AC3-B127527BEA35", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4B05B39A-9DDC-4650-A7F8-D5B134E5FFE5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC8E2574A-7BCE-4B93-A22E-61831DFD6DB8", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID659796C0-8B5D-48D7-A4EB-7E6874E26274", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID78071AB5-E729-414E-8D02-9C1D034F82E7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCC3F71E1-17F3-4C5B-997D-44CA56943197", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE67D5C78-B2D4-4BA0-8D69-1C7AF4BB08B5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFC5F3D7A-D321-412C-8A5D-9AD0C8041941", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6EC5CD16-81BC-4515-9EDD-9265C906F56E", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID67CFB2C5-E491-4395-977B-CD45E4124655", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID73600569-52E6-4760-8BAB-B68202937D98", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB02EBD42-6885-401A-9389-E089F7DDC872", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBAE5CB8C-4075-4743-B2E4-78DA8D8CDC64", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID28B07B04-DA99-4FD3-BF27-4972F2B8142B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D53448F-D12B-4102-8CE2-697DAE8D6643", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE3266A47-A141-47B8-AAA8-5F16FB4F8CCD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB33AB7AF-76D7-4B1C-B709-5D6BF9E7B1C7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID153B7451-0BB5-4B37-95C0-44D89E2F1F2B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID3BBE8E21-0D3D-4BAA-AC6F-C7BCEF750849", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9B5B4F2D-A7D9-4329-B0FE-92B301A8CAAD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA5C42921-8CD0-4924-97C3-01B5B0610BC6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID06969252-F90F-4CF2-9074-33772EB64859", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFBF37655-1236-4C0D-96C5-F94E1724841B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC1A3F035-B68F-4B2B-9FD5-E36DAAAF26DD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID368F3685-543E-4812-9FDE-96E097E453FC", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID43969873-56AA-4113-84CB-4AB2AEB9AA31", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA205DD80-63D4-4E41-B785-26EC3D90B97B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID068D43E7-7551-4A2F-AE96-4A38A9AD1953", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF443E9CB-9EEC-456E-8AE7-F3102D5CD47D", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE36A7B16-645D-4261-BFF8-3A7E69C5F7A5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID379805E3-E0E2-40DC-B51B-6DC1AE5802AA", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF6240D69-A06D-44A1-8003-8496CCEF2C53", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID26C3113D-5A71-4F1B-A2CB-BE59E1279DDA", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID92B97F2B-7565-4CE9-9AC7-0598DFD731F8", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID2AA5E7CF-9696-42F0-B76A-8655296EADF2", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0AAACE0B-ACEF-4781-83F4-BFB52EEC995A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D56FF58-A39D-4E8C-A40B-2E3711251772", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID946121C2-11F1-49DD-A7E3-CF793DE827A4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB853303D-1BAB-43F3-9D7D-101D0DA8E7A5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9E578247-FE29-4F8C-8202-A24A5688CF2A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6D065A8F-FFC0-4A0F-B863-1D724B8C786B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4451D291-6940-42CE-9D3C-CA1D4C96549C", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID064B722D-079D-4EBB-B3CF-9FCBF64FFF5D", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID38F8AB0F-5DFB-43D9-889E-8717CC4AB59B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EC68CD1-0EF1-4CB9-9EF1-3D64AB266149", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID44F96B27-CFAD-41E1-83A1-6B28040C3BDE", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-20 64288]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-12-21 186016]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-12-21 177824]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-12-21 1756912]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2008-9-28 33792]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091231.017\naveng.sys [2010-1-1 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091231.017\navex15.sys [2010-1-1 1323568]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-12-21 83616]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys --> c:\windows\system32\drivers\npf.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PCD5SRVC;PCD5SRVC - PCDR Kernel Mode Service Helper Driver;\??\c:\progra~1\pc-doc~1\pcd5srvc.pkms --> c:\progra~1\pc-doc~1\PCD5SRVC.pkms [?]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-1-23 13952]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-23 28800]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-12-21 169200]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2009-12-23 03:38:07 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-12-23 03:38:02 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-12-23 03:38:01 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-12-23 03:37:56 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-12-23 03:37:52 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-12-23 03:37:42 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2009-12-23 03:37:33 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2009-12-23 03:37:30 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2009-12-23 03:37:23 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2009-12-23 03:37:19 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2009-12-23 03:36:52 8832 ----a-w- c:\windows\system32\dllcache\wmiacpi.sys
2009-12-23 03:36:48 154624 ----a-w- c:\windows\system32\dllcache\wlluc48.sys
2009-12-23 03:36:42 34890 ----a-w- c:\windows\system32\dllcache\wlandrv2.sys
2009-12-23 03:36:27 771581 ----a-w- c:\windows\system32\dllcache\winacisa.sys
2009-12-23 03:36:09 53760 ----a-w- c:\windows\system32\dllcache\wiamsmud.dll
2009-12-23 03:35:53 701386 ----a-w- c:\windows\system32\dllcache\wdhaalba.sys
2009-12-23 03:35:52 23615 ----a-w- c:\windows\system32\dllcache\wch7xxnt.sys
2009-12-23 03:35:19 31744 ----a-w- c:\windows\system32\dllcache\wceusbsh.sys
2009-12-23 03:34:32 35871 ----a-w- c:\windows\system32\dllcache\wbfirdma.sys
2009-12-23 03:34:03 33599 ----a-w- c:\windows\system32\dllcache\watv04nt.sys
2009-12-23 03:34:01 19551 ----a-w- c:\windows\system32\dllcache\watv02nt.sys
2009-12-23 03:34:00 29311 ----a-w- c:\windows\system32\dllcache\watv01nt.sys
2009-12-23 03:33:55 11775 ----a-w- c:\windows\system32\dllcache\wadv05nt.sys
2009-12-23 03:33:54 12127 ----a-w- c:\windows\system32\dllcache\wadv02nt.sys
2009-12-23 03:33:39 12415 ----a-w- c:\windows\system32\dllcache\wadv01nt.sys
2009-12-23 03:33:31 16925 ----a-w- c:\windows\system32\dllcache\w940nd.sys
2009-12-23 03:33:27 19016 ----a-w- c:\windows\system32\dllcache\w926nd.sys
2009-12-23 03:33:21 19528 ----a-w- c:\windows\system32\dllcache\w840nd.sys
2009-12-23 03:33:13 64605 ----a-w- c:\windows\system32\dllcache\vvoice.sys
2009-12-23 03:33:07 397502 ----a-w- c:\windows\system32\dllcache\vpctcom.sys
2009-12-23 03:32:57 604253 ----a-w- c:\windows\system32\dllcache\vmodem.sys
2009-12-23 03:32:50 249402 ----a-w- c:\windows\system32\dllcache\vinwm.sys
2009-12-23 03:32:43 24576 ----a-w- c:\windows\system32\dllcache\viairda.sys
2009-12-23 03:32:19 687999 ----a-w- c:\windows\system32\dllcache\usrwdxjs.sys
2009-12-23 03:32:02 765884 ----a-w- c:\windows\system32\dllcache\usrti.sys
2009-12-23 03:31:54 113762 ----a-w- c:\windows\system32\dllcache\usrpda.sys
2009-12-23 03:31:50 7556 ----a-w- c:\windows\system32\dllcache\usroslba.sys
2009-12-23 03:31:40 224802 ----a-w- c:\windows\system32\dllcache\usr1807a.sys
2009-12-23 03:31:35 794399 ----a-w- c:\windows\system32\dllcache\usr1806v.sys
2009-12-23 03:31:31 793598 ----a-w- c:\windows\system32\dllcache\usr1806.sys
2009-12-23 03:31:25 794654 ----a-w- c:\windows\system32\dllcache\usr1801.sys
2009-12-23 03:31:22 26112 ----a-w- c:\windows\system32\dllcache\usbser.sys
2009-12-23 03:31:19 32384 ----a-w- c:\windows\system32\dllcache\usb101et.sys
2009-12-23 03:31:12 94720 ----a-w- c:\windows\system32\dllcache\umaxud32.dll
2009-12-23 03:31:08 28160 ----a-w- c:\windows\system32\dllcache\umaxu40.dll
2009-12-23 03:31:04 26624 ----a-w- c:\windows\system32\dllcache\umaxu22.dll
2009-12-23 03:31:00 69632 ----a-w- c:\windows\system32\dllcache\umaxu12.dll
2009-12-23 03:29:56 315520 ----a-w- c:\windows\system32\dllcache\trid3d.dll
2009-12-23 03:29:51 34375 ----a-w- c:\windows\system32\dllcache\tpro4.sys
2009-12-23 03:29:46 42496 ----a-w- c:\windows\system32\dllcache\tp4res.dll
2009-12-23 03:29:44 82944 ----a-w- c:\windows\system32\dllcache\tp4mon.exe
2009-12-23 03:29:40 31744 ----a-w- c:\windows\system32\dllcache\tp4.dll
2009-12-23 03:29:35 4992 ----a-w- c:\windows\system32\dllcache\toside.sys
2009-12-23 03:29:31 230912 ----a-w- c:\windows\system32\dllcache\tosdvd03.sys
2009-12-23 03:29:27 241664 ----a-w- c:\windows\system32\dllcache\tosdvd02.sys
2009-12-23 03:29:22 28232 ----a-w- c:\windows\system32\dllcache\tos4mo.sys
2009-12-23 03:29:17 123995 ----a-w- c:\windows\system32\dllcache\tjisdn.sys
2009-12-23 03:29:11 138528 ----a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2009-12-23 03:29:05 81408 ----a-w- c:\windows\system32\dllcache\tgiul50.dll
2009-12-23 03:29:03 149376 ----a-w- c:\windows\system32\dllcache\tffsport.sys
2009-12-23 03:27:59 10240 ----a-w- c:\windows\system32\dllcache\swpidflt.dll
2009-12-23 03:27:55 10240 ----a-w- c:\windows\system32\dllcache\swpdflt2.dll
2009-12-23 03:27:51 53760 ----a-w- c:\windows\system32\dllcache\sw_wheel.dll
2009-12-23 03:27:47 41472 ----a-w- c:\windows\system32\dllcache\sw_effct.dll
2009-12-23 03:27:42 155648 ----a-w- c:\windows\system32\dllcache\stlnprop.dll
2009-12-23 03:27:38 53248 ----a-w- c:\windows\system32\dllcache\stlncoin.dll
2009-12-23 03:27:34 285760 ----a-w- c:\windows\system32\dllcache\stlnata.sys
2009-12-23 03:27:29 16896 ----a-w- c:\windows\system32\dllcache\stcusb.sys
2009-12-23 03:27:22 48736 ----a-w- c:\windows\system32\dllcache\srwlnd5.sys
2009-12-23 03:27:17 99328 ----a-w- c:\windows\system32\dllcache\srusd.dll
2009-12-23 03:27:09 24660 ----a-w- c:\windows\system32\dllcache\spxupchk.dll
2009-12-23 03:27:03 61824 ----a-w- c:\windows\system32\dllcache\speed.sys
2009-12-23 03:26:59 106584 ----a-w- c:\windows\system32\dllcache\spdports.dll
2009-12-23 03:26:55 19072 ----a-w- c:\windows\system32\dllcache\sparrow.sys
2009-12-23 03:26:50 7552 ----a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-12-23 03:26:47 37040 ----a-w- c:\windows\system32\dllcache\sonypi.sys
2009-12-23 03:26:43 114688 ----a-w- c:\windows\system32\dllcache\sonypi.dll
2009-12-23 03:26:39 20752 ----a-w- c:\windows\system32\dllcache\sonync.sys
2009-12-23 03:26:34 9600 ----a-w- c:\windows\system32\dllcache\sonymc.sys
2009-12-23 03:26:20 7552 ----a-w- c:\windows\system32\dllcache\sonyait.sys
2009-12-23 03:26:19 143422 ----a-w- c:\windows\system32\dllcache\softkey.dll
2009-12-23 03:26:02 7040 ----a-w- c:\windows\system32\dllcache\snyaitmc.sys
2009-12-23 03:25:47 58368 ----a-w- c:\windows\system32\dllcache\smiminib.sys
2009-12-23 03:25:41 147200 ----a-w- c:\windows\system32\dllcache\smidispb.dll
2009-12-23 03:25:37 25034 ----a-w- c:\windows\system32\dllcache\smcpwr2n.sys
2009-12-23 03:25:31 35913 ----a-w- c:\windows\system32\dllcache\smcirda.sys
2009-12-23 03:25:26 24576 ----a-w- c:\windows\system32\dllcache\smc8000n.sys
2009-12-23 03:25:22 6784 ----a-w- c:\windows\system32\dllcache\smbhc.sys
2009-12-23 03:25:21 6912 ----a-w- c:\windows\system32\dllcache\smbclass.sys
2009-12-23 03:25:15 16000 ----a-w- c:\windows\system32\dllcache\smbbatt.sys
2009-12-23 03:25:10 45568 ----a-w- c:\windows\system32\dllcache\smb3w.dll
2009-12-23 03:25:06 33792 ----a-w- c:\windows\system32\dllcache\smb0w.dll
2009-12-23 03:25:02 28672 ----a-w- c:\windows\system32\dllcache\sma0w.dll
2009-12-23 03:24:47 28160 ----a-w- c:\windows\system32\dllcache\sm91w.dll
2009-12-23 03:24:31 63547 ----a-w- c:\windows\system32\dllcache\sla30nd5.sys
2009-12-23 03:24:27 91294 ----a-w- c:\windows\system32\dllcache\skfpwin.sys
2009-12-23 03:24:22 94698 ----a-w- c:\windows\system32\dllcache\sk98xwin.sys
2009-12-23 03:24:18 157696 ----a-w- c:\windows\system32\dllcache\sisv256.dll
2009-12-23 03:24:15 50432 ----a-w- c:\windows\system32\dllcache\sisv.sys
2009-12-23 03:24:07 32768 ----a-w- c:\windows\system32\dllcache\sisnic.sys
2009-12-23 03:24:03 238592 ----a-w- c:\windows\system32\dllcache\sisgrv.dll
2009-12-23 03:23:59 104064 ----a-w- c:\windows\system32\dllcache\sisgrp.sys
2009-12-23 03:23:55 150144 ----a-w- c:\windows\system32\dllcache\sis6306v.dll
2009-12-23 03:23:51 68608 ----a-w- c:\windows\system32\dllcache\sis6306p.sys
2009-12-23 03:23:47 252032 ----a-w- c:\windows\system32\dllcache\sis300iv.dll
2009-12-23 03:23:28 101760 ----a-w- c:\windows\system32\dllcache\sis300ip.sys
2009-12-23 03:23:03 161568 ----a-w- c:\windows\system32\dllcache\sgsmusb.sys
2009-12-23 03:22:59 18400 ----a-w- c:\windows\system32\dllcache\sgsmld.sys
2009-12-23 03:22:55 98080 ----a-w- c:\windows\system32\dllcache\sgiulnt5.sys
2009-12-23 03:22:51 386560 ----a-w- c:\windows\system32\dllcache\sgiul50.dll
2009-12-23 03:22:47 36480 ----a-w- c:\windows\system32\dllcache\sfmanm.sys
2009-12-23 03:22:36 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2009-12-23 03:22:33 17664 ----a-w- c:\windows\system32\dllcache\sermouse.sys
2009-12-23 03:22:16 6912 ----a-w- c:\windows\system32\dllcache\seaddsmc.sys
2009-12-23 03:21:58 11520 ----a-w- c:\windows\system32\dllcache\scsiscan.sys
2009-12-23 03:21:54 11648 ----a-w- c:\windows\system32\dllcache\scsiprnt.sys
2009-12-23 03:21:48 17280 ----a-w- c:\windows\system32\dllcache\scr111.sys
2009-12-23 03:21:44 16640 ----a-w- c:\windows\system32\dllcache\scmstcs.sys
2009-12-23 03:21:39 23936 ----a-w- c:\windows\system32\dllcache\sccmusbm.sys
2009-12-23 03:21:35 23936 ----a-w- c:\windows\system32\dllcache\sccmn50m.sys
2009-12-23 03:21:28 43904 ----a-w- c:\windows\system32\dllcache\sbp2port.sys
2009-12-23 03:21:24 495616 ----a-w- c:\windows\system32\dllcache\sblfx.dll
2009-12-23 03:21:13 75392 ----a-w- c:\windows\system32\dllcache\s3savmxm.sys
2009-12-23 03:21:10 245632 ----a-w- c:\windows\system32\dllcache\s3savmx.dll
2009-12-23 03:21:06 77824 ----a-w- c:\windows\system32\dllcache\s3sav4m.sys
2009-12-23 03:21:02 198400 ----a-w- c:\windows\system32\dllcache\s3sav4.dll
2009-12-23 03:20:58 61504 ----a-w- c:\windows\system32\dllcache\s3sav3dm.sys
2009-12-23 03:20:55 179264 ----a-w- c:\windows\system32\dllcache\s3sav3d.dll
2009-12-23 03:20:51 210496 ----a-w- c:\windows\system32\dllcache\s3mvirge.dll
2009-12-23 03:20:47 62496 ----a-w- c:\windows\system32\dllcache\s3mtrio.dll
2009-12-23 03:20:43 41216 ----a-w- c:\windows\system32\dllcache\s3mt3d.sys
2009-12-23 03:20:39 182272 ----a-w- c:\windows\system32\dllcache\s3mt3d.dll
2009-12-23 03:20:35 166720 ----a-w- c:\windows\system32\dllcache\s3m.sys
2009-12-23 03:20:28 65664 ----a-w- c:\windows\system32\dllcache\s3legacy.sys
2009-12-23 03:19:50 82432 ----a-w- c:\windows\system32\dllcache\rwia450.dll
2009-12-23 03:19:17 79872 ----a-w- c:\windows\system32\dllcache\rwia430.dll
2009-12-23 03:19:10 29696 ----a-w- c:\windows\system32\dllcache\rw450ext.dll
2009-12-23 03:18:55 27648 ----a-w- c:\windows\system32\dllcache\rw430ext.dll
2009-12-23 03:18:36 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys
2009-12-23 03:18:32 30720 ----a-w- c:\windows\system32\dllcache\rthwcls.sys
2009-12-23 03:18:22 9216 ----a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2009-12-23 03:18:17 3840 ----a-w- c:\windows\system32\dllcache\rpfun.sys
2009-12-23 03:18:05 79104 ----a-w- c:\windows\system32\dllcache\rocket.sys
2009-12-23 03:17:59 37563 ----a-w- c:\windows\system32\dllcache\rlnet5.sys
2009-12-23 03:17:52 86097 ----a-w- c:\windows\system32\dllcache\reslog32.dll
2009-12-23 03:17:15 19584 ----a-w- c:\windows\system32\dllcache\rasirda.sys
2009-12-23 03:17:04 714762 ----a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2009-12-23 03:17:00 899146 ----a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2009-12-23 03:16:54 41472 ----a-w- c:\windows\system32\dllcache\qvusd.dll
2009-12-23 03:16:45 3328 ----a-w- c:\windows\system32\dllcache\qv2kux.sys
2009-12-23 03:16:22 49024 ----a-w- c:\windows\system32\dllcache\ql1280.sys
2009-12-23 03:16:08 40448 ----a-w- c:\windows\system32\dllcache\ql1240.sys
2009-12-23 03:15:55 45312 ----a-w- c:\windows\system32\dllcache\ql12160.sys
2009-12-23 03:15:44 33152 ----a-w- c:\windows\system32\dllcache\ql10wnt.sys
2009-12-23 03:15:28 40320 ----a-w- c:\windows\system32\dllcache\ql1080.sys
2009-12-23 03:15:24 6016 ----a-w- c:\windows\system32\dllcache\qic157.sys
2009-12-23 03:14:42 130942 ----a-w- c:\windows\system32\dllcache\ptserlv.sys
2009-12-23 03:13:50 112574 ----a-w- c:\windows\system32\dllcache\ptserlp.sys
2009-12-23 03:13:01 128286 ----a-w- c:\windows\system32\dllcache\ptserli.sys
2009-12-23 03:12:43 159232 ----a-w- c:\windows\system32\dllcache\ptpusd.dll
2009-12-23 03:12:08 5632 ----a-w- c:\windows\system32\dllcache\ptpusb.dll
2009-12-23 03:12:01 33280 ----a-w- c:\windows\system32\dllcache\psisrndr.ax
2009-12-23 03:11:52 35328 ----a-w- c:\windows\system32\dllcache\psisload.dll
2009-12-23 03:11:48 363520 ----a-w- c:\windows\system32\dllcache\psisdecd.dll
2009-12-23 03:11:32 16128 ----a-w- c:\windows\system32\dllcache\pscr.sys
2009-12-23 03:11:26 17664 ----a-w- c:\windows\system32\dllcache\ppa3.sys
2009-12-23 03:11:22 17792 ----a-w- c:\windows\system32\dllcache\ppa.sys
2009-12-23 03:11:19 8832 ----a-w- c:\windows\system32\dllcache\powerfil.sys
2009-12-23 03:11:14 7168 ----a-w- c:\windows\system32\dllcache\pnrmc.sys
2009-12-23 03:11:03 121344 ----a-w- c:\windows\system32\dllcache\phvfwext.dll
2009-12-23 03:09:59 29502 ----a-w- c:\windows\system32\dllcache\pca200e.sys
2009-12-23 03:08:58 27209 ----a-w- c:\windows\system32\dllcache\otc06x5.sys
2009-12-23 03:08:47 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys
2009-12-23 03:07:50 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys
2009-12-23 03:07:18 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll
2009-12-23 03:06:44 51552 ----a-w- c:\windows\system32\dllcache\ntgrip.sys
2009-12-23 03:06:37 9344 ----a-w- c:\windows\system32\dllcache\ntapm.sys
2009-12-23 03:06:33 7552 ----a-w- c:\windows\system32\dllcache\nsmmc.sys
2009-12-23 03:06:29 28672 ----a-w- c:\windows\system32\dllcache\nscirda.sys
2009-12-23 03:06:18 87040 ----a-w- c:\windows\system32\dllcache\nm6wdm.sys
2009-12-23 03:06:14 126080 ----a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2009-12-23 03:06:06 32840 ----a-w- c:\windows\system32\dllcache\ngrpci.sys
2009-12-23 03:06:05 132695 ----a-w- c:\windows\system32\dllcache\netwlan5.sys
2009-12-23 03:04:59 19968 ----a-w- c:\windows\system32\dllcache\mxnic.sys
2009-12-23 03:04:55 19968 ----a-w- c:\windows\system32\dllcache\mxicfg.dll
2009-12-23 03:04:52 21888 ----a-w- c:\windows\system32\dllcache\mxcard.sys
2009-12-23 03:04:51 229439 ----a-w- c:\windows\system32\dllcache\multibox.dll
2009-12-23 03:04:34 103296 ----a-w- c:\windows\system32\dllcache\mtxvideo.sys
2009-12-23 03:04:03 49024 ----a-w- c:\windows\system32\dllcache\mstape.sys
2009-12-23 03:03:54 12416 ----a-w- c:\windows\system32\dllcache\msriffwv.sys
2009-12-23 03:03:31 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2009-12-23 03:03:25 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys
2009-12-23 03:03:24 1875968 ----a-w- c:\windows\system32\dllcache\msir3jp.lex
2009-12-23 03:03:23 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll
2009-12-23 03:02:53 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2009-12-23 03:02:00 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys
2009-12-23 03:01:57 56832 ----a-w- c:\windows\system32\dllcache\msdvbnp.ax
2009-12-23 03:01:45 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2009-12-23 03:00:32 17280 ----a-w- c:\windows\system32\dllcache\mraid35x.sys
2009-12-23 03:00:11 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys
2009-12-23 02:59:57 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-12-23 02:59:49 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys
2009-12-23 02:59:31 6528 ----a-w- c:\windows\system32\dllcache\miniqic.sys
2009-12-23 02:59:19 320384 ----a-w- c:\windows\system32\dllcache\mgaum.sys
2009-12-23 02:59:16 235648 ----a-w- c:\windows\system32\dllcache\mgaud.dll
2009-12-23 02:59:13 26112 ----a-w- c:\windows\system32\dllcache\memstpci.sys
2009-12-23 02:59:10 47616 ----a-w- c:\windows\system32\dllcache\memgrp.dll
2009-12-23 02:59:06 8320 ----a-w- c:\windows\system32\dllcache\memcard.sys
2009-12-23 02:57:54 4992 ----a-w- c:\windows\system32\dllcache\loop.sys
2009-12-23 02:57:45 70730 ----a-w- c:\windows\system32\dllcache\lne100tx.sys
2009-12-23 02:57:42 20573 ----a-w- c:\windows\system32\dllcache\lne100.sys
2009-12-23 02:57:37 25065 ----a-w- c:\windows\system32\dllcache\lmndis3.sys
2009-12-23 02:57:34 15744 ----a-w- c:\windows\system32\dllcache\lit220p.sys
2009-12-23 02:57:31 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2009-12-23 02:57:28 26442 ----a-w- c:\windows\system32\dllcache\lanepic5.sys
2009-12-23 02:57:23 19016 ----a-w- c:\windows\system32\dllcache\ktc111.sys
2009-12-23 02:57:12 37376 ----a-w- c:\windows\system32\dllcache\kousd.dll
2009-12-23 02:57:11 1158818 ----a-w- c:\windows\system32\dllcache\korwbrkr.lex
2009-12-23 02:57:10 70656 ----a-w- c:\windows\system32\dllcache\korwbrkr.dll
2009-12-23 02:57:05 253952 ----a-w- c:\windows\system32\dllcache\kdsusd.dll
2009-12-23 02:57:02 48640 ----a-w- c:\windows\system32\dllcache\kdsui.dll
2009-12-23 02:56:12 8192 ----a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-12-23 02:55:15 8704 ----a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-12-23 02:54:49 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-12-23 02:53:56 6144 ----a-w- c:\windows\system32\dllcache\kbd106.dll
2009-12-23 02:53:53 5632 ----a-w- c:\windows\system32\dllcache\kbd103.dll
2009-12-23 02:53:49 6144 ----a-w- c:\windows\system32\dllcache\kbd101c.dll
2009-12-23 02:53:46 6144 ----a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-12-23 02:53:34 26624 ----a-w- c:\windows\system32\dllcache\irstusb.sys
2009-12-23 02:53:31 18688 ----a-w- c:\windows\system32\dllcache\irsir.sys
2009-12-23 02:53:30 28160 ----a-w- c:\windows\system32\dllcache\irmon.dll
2009-12-23 02:53:27 23552 ----a-w- c:\windows\system32\dllcache\irmk7.sys
2009-12-23 02:53:26 151552 ----a-w- c:\windows\system32\dllcache\irftp.exe
2009-12-23 02:53:21 88192 ----a-w- c:\windows\system32\dllcache\irda.sys
2009-12-23 02:51:41 372824 ----a-w- c:\windows\system32\dllcache\iconf32.dll
2009-12-23 02:51:36 100992 ----a-w- c:\windows\system32\dllcache\icam5usb.sys
2009-12-23 02:51:33 20480 ----a-w- c:\windows\system32\dllcache\icam5ext.dll
2009-12-23 02:51:30 45056 ----a-w- c:\windows\system32\dllcache\icam5com.dll
2009-12-23 02:51:27 154496 ----a-w- c:\windows\system32\dllcache\icam4usb.sys
2009-12-23 02:51:24 61952 ----a-w- c:\windows\system32\dllcache\icam4ext.dll
2009-12-23 02:51:21 91136 ----a-w- c:\windows\system32\dllcache\icam4com.dll
2009-12-23 02:51:17 26624 ----a-w- c:\windows\system32\dllcache\icam3ext.dll
2009-12-23 02:51:14 141056 ----a-w- c:\windows\system32\dllcache\icam3.sys
2009-12-23 02:51:10 38528 ----a-w- c:\windows\system32\dllcache\ibmvcap.sys
2009-12-23 02:51:06 109085 ----a-w- c:\windows\system32\dllcache\ibmtrp.sys
2009-12-23 02:51:03 100936 ----a-w- c:\windows\system32\dllcache\ibmtok.sys
2009-12-23 02:50:59 9216 ----a-w- c:\windows\system32\dllcache\ibmsgnet.dll
2009-12-23 02:50:56 28700 ----a-w- c:\windows\system32\dllcache\ibmexmp.sys
2009-12-23 02:50:49 161020 ----a-w- c:\windows\system32\dllcache\i81xnt5.sys
2009-12-23 02:50:48 702845 ----a-w- c:\windows\system32\dllcache\i81xdnt5.dll
2009-12-23 02:50:45 58592 ----a-w- c:\windows\system32\dllcache\i740nt5.sys
2009-12-23 02:50:35 353184 ----a-w- c:\windows\system32\dllcache\i740dnt5.dll
2009-12-23 02:50:34 18560 ----a-w- c:\windows\system32\dllcache\i2omp.sys
2009-12-23 02:50:26 8576 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys
2009-12-23 02:50:14 10129408 ----a-w- c:\windows\system32\dllcache\hwxkor.dll
2009-12-23 02:49:54 10096640 ----a-w- c:\windows\system32\dllcache\hwxcht.dll
2009-12-23 02:49:23 488383 ----a-w- c:\windows\system32\dllcache\hsf_v124.sys
2009-12-23 02:49:20 50751 ----a-w- c:\windows\system32\dllcache\hsf_tone.sys
2009-12-23 02:49:17 73279 ----a-w- c:\windows\system32\dllcache\hsf_spkp.sys
2009-12-23 02:49:13 44863 ----a-w- c:\windows\system32\dllcache\hsf_soar.sys
2009-12-23 02:49:10 57471 ----a-w- c:\windows\system32\dllcache\hsf_samp.sys
2009-12-23 02:49:07 542879 ----a-w- c:\windows\system32\dllcache\hsf_msft.sys
2009-12-23 02:49:02 391199 ----a-w- c:\windows\system32\dllcache\hsf_k56k.sys
2009-12-23 02:47:59 126976 ----a-w- c:\windows\system32\dllcache\hpgt34tk.dll
2009-12-23 02:47:56 101376 ----a-w- c:\windows\system32\dllcache\hpgt34.dll
2009-12-23 02:47:53 48128 ----a-w- c:\windows\system32\dllcache\hpgt33tk.dll
2009-12-23 02:47:50 89088 ----a-w- c:\windows\system32\dllcache\hpgt33.dll
2009-12-23 02:47:47 123392 ----a-w- c:\windows\system32\dllcache\hpgt21tk.dll
2009-12-23 02:47:43 83968 ----a-w- c:\windows\system32\dllcache\hpgt21.dll
2009-12-23 02:47:37 119296 ----a-w- c:\windows\system32\dllcache\hpdigwia.dll
2009-12-23 02:47:19 2688 ----a-w- c:\windows\system32\dllcache\hidswvd.sys
2009-12-23 02:47:19 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2009-12-23 02:47:14 8576 ----a-w- c:\windows\system32\dllcache\hidgame.sys
2009-12-23 02:47:12 20352 ----a-w- c:\windows\system32\dllcache\hidbatt.sys
2009-12-23 02:45:43 92160 ----a-w- c:\windows\system32\dllcache\fuusd.dll
2009-12-23 02:45:40 455296 ----a-w- c:\windows\system32\dllcache\fusbbase.sys
2009-12-23 02:45:37 455680 ----a-w- c:\windows\system32\dllcache\fus2base.sys
2009-12-23 02:45:20 442240 ----a-w- c:\windows\system32\dllcache\fpnpbase.sys
2009-12-23 02:45:16 441728 ----a-w- c:\windows\system32\dllcache\fpcmbase.sys
2009-12-23 02:45:04 444416 ----a-w- c:\windows\system32\dllcache\fpcibase.sys
2009-12-23 02:44:53 34173 ----a-w- c:\windows\system32\dllcache\forehe.sys
2009-12-23 02:44:24 71680 ----a-w- c:\windows\system32\dllcache\fnfilter.dll
2009-12-23 02:44:05 27165 ----a-w- c:\windows\system32\dllcache\fetnd5.sys
2009-12-23 02:43:56 22090 ----a-w- c:\windows\system32\dllcache\fem556n5.sys
2009-12-23 02:43:40 24618 ----a-w- c:\windows\system32\dllcache\fa410nd5.sys
2009-12-23 02:43:38 16074 ----a-w- c:\windows\system32\dllcache\fa312nd5.sys
2009-12-23 02:43:35 11850 ----a-w- c:\windows\system32\dllcache\f3ab18xj.sys
2009-12-23 02:43:33 12362 ----a-w- c:\windows\system32\dllcache\f3ab18xi.sys
2009-12-23 02:43:29 7040 ----a-w- c:\windows\system32\dllcache\exabyte2.sys
2009-12-23 02:43:27 16998 ----a-w- c:\windows\system32\dllcache\ex10.sys
2009-12-23 02:43:19 45568 ----a-w- c:\windows\system32\dllcache\esunib.dll
2009-12-23 02:43:17 45568 ----a-w- c:\windows\system32\dllcache\esuni.dll
2009-12-23 02:43:09 34816 ----a-w- c:\windows\system32\dllcache\esuimg.dll
2009-12-23 02:42:48 43008 ----a-w- c:\windows\system32\dllcache\esucm.dll
2009-12-23 02:42:43 137088 ----a-w- c:\windows\system32\dllcache\essm2e.sys
2009-12-23 02:42:22 63360 ----a-w- c:\windows\system32\dllcache\ess.sys
2009-12-23 02:42:08 347550 ----a-w- c:\windows\system32\dllcache\es56tpi.sys
2009-12-23 02:42:05 594238 ----a-w- c:\windows\system32\dllcache\es56hpi.sys
2009-12-23 02:42:03 595647 ----a-w- c:\windows\system32\dllcache\es56cvmp.sys
2009-12-23 02:42:00 174464 ----a-w- c:\windows\system32\dllcache\es198x.sys
2009-12-23 02:40:58 634134 ----a-w- c:\windows\system32\dllcache\el656ct5.sys
2009-12-23 02:39:59 8704 ----a-w- c:\windows\system32\dllcache\dot4scan.sys
2009-12-23 02:38:55 419357 ----a-w- c:\windows\system32\dllcache\dgconfig.dll
2009-12-23 02:37:59 3072 ----a-w- c:\windows\system32\dllcache\cwbmidi.sys
2009-12-23 02:36:59 838144 ----a-w- c:\windows\system32\dllcache\chtbrkr.dll
2009-12-23 02:35:59 74240 ----a-w- c:\windows\system32\dllcache\camexo20.dll
2009-12-23 02:35:58 73216 ----a-w- c:\windows\system32\dllcache\camexo20.ax
2009-12-23 02:35:57 171264 ----a-w- c:\windows\system32\dllcache\camdrv30.sys
2009-12-23 02:35:56 223232 ----a-w- c:\windows\system32\dllcache\camdrv21.sys
2009-12-23 02:35:51 314752 ----a-w- c:\windows\system32\dllcache\camdro21.sys
2009-12-23 02:33:59 102400 ----a-w- c:\windows\system32\dllcache\binlsvc.dll
2009-12-23 02:32:59 46464 ----a-w- c:\windows\system32\dllcache\atibt829.sys
2009-12-23 02:30:29 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-12-16 02:55:25 0 d-----w- c:\program files\Cobian Backup 9
2009-12-09 08:07:29 443 ----a-w- c:\windows\system32\MRT.INI
2009-12-08 02:07:11 0 d-----w- c:\program files\iPod
2009-12-08 02:06:34 0 d-----w- c:\program files\iTunes
2009-12-03 06:09:09 14608 ----a-w- c:\windows\system32\iviaspi.sys
2009-12-03 06:08:30 0 d-----w- c:\program files\SanDisk

==================== Find3M ====================

2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 15:01:30 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-28 14:40:47 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-23 21:35:01 61000 -c--a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\dllcache\raschap.dll
2007-01-22 14:35:48 774144 -c--a-w- c:\program files\RngInterstitial.dll
2006-02-13 02:01:46 423 -c--a-w- c:\program files\.lot
2006-02-13 02:00:38 280000 -c--a-w- c:\program files\allbox4.rpt
2006-02-13 01:59:52 180 -c--a-w- c:\program files\lotto.tmp
2008-09-05 22:40:22 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 21:24:05.07 ===============

Attached Files



#4 Liamsdarlin

Liamsdarlin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 02 January 2010 - 04:30 AM

Sorry, I couldn't post this in just one, or even 2 posts. It's long and I can't attach it either cos it's too large.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-02 03:08:38
Windows 5.1.2600 Service Pack 3
Running: 8xr71il8.exe; Driver: C:\DOCUME~1\Keri\LOCALS~1\Temp\kftyqfow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF763F87E]
SSDT spsh.sys ZwEnumerateKey [0xF74CDCA2]
SSDT spsh.sys ZwEnumerateValueKey [0xF74CE030]
SSDT spsh.sys ZwOpenKey [0xF74AF0C0]
SSDT spsh.sys ZwQueryKey [0xF74CE108]
SSDT spsh.sys ZwQueryValueKey [0xF74CDF88]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF763FBFE]

INT 0x62 ? 84FDCBF8
INT 0x73 ? 84E50BF8
INT 0x73 ? 84E50BF8
INT 0x73 ? 84E50BF8
INT 0x73 ? 84E50BF8
INT 0x82 ? 84FDCBF8
INT 0x83 ? 84FDCBF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!FsRtlLegalAnsiCharacterArray + 1 804D8169 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlLegalAnsiCharacterArray + 1F9 804D8361 3 Bytes [F3, 5F, 80]
.text ntoskrnl.exe!FsRtlLegalAnsiCharacterArray + 205 804D836D 3 Bytes [03, 60, 80] {ADD ESP, [EAX-0x80]}
.text ntoskrnl.exe!FsRtlLegalAnsiCharacterArray + 209 804D8371 3 Bytes [03, 60, 80] {ADD ESP, [EAX-0x80]}
.text ntoskrnl.exe!FsRtlLegalAnsiCharacterArray + 215 804D837D 3 Bytes [03, 60, 80] {ADD ESP, [EAX-0x80]}
.text ...
.text ntoskrnl.exe!KeInsertQueueDpc + F 804D969C 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeInsertQueueDpc + D3 804D9760 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeInsertQueueDpc + E4 804D9771 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeInsertQueueDpc + 109 804D9796 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KeInsertQueueDpc + 10F 804D979C 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ...
.text ntoskrnl.exe!KeI386Call16BitFunction + A 804D98A2 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KeI386Call16BitFunction + 10 804D98A8 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KeI386Call16BitFunction + 16 804D98AE 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KeI386Call16BitFunction + 1C 804D98B4 3 Bytes [21, 56, 80] {AND [ESI-0x80], EDX}
.text ntoskrnl.exe!KeI386Call16BitFunction + 22 804D98BA 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ...
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 6 804D9A42 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + C 804D9A48 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 12 804D9A4E 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 18 804D9A54 3 Bytes [21, 56, 80] {AND [ESI-0x80], EDX}
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1E 804D9A5A 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ...
.text ntoskrnl.exe!KeReleaseMutant + D 804D9B59 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeReleaseMutant + 1CB 804D9D17 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KiIpiServiceRoutine + 6D 804D9D8B 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KiIpiServiceRoutine + 7D 804D9D9B 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KiIpiServiceRoutine + A9 804D9DC7 3 Bytes [78, 55, 80]
.text ntoskrnl.exe!KiIpiServiceRoutine + E9 804D9E07 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KiIpiServiceRoutine + 104 804D9E22 3 Bytes [80, 4D, 80]
.text ...
.text ntoskrnl.exe!ObfReferenceObject + 3 804DA06E 3 Bytes [BD, 55, 80]
.text ntoskrnl.exe!RtlGetCallersAddress + 12 804DA1AA 3 Bytes [A2, 4D, 80]
.text ntoskrnl.exe!ExAcquireResourceExclusiveLite + 1F 804DA3C3 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExAcquireResourceExclusiveLite + 47 804DA3EB 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExQueueWorkItem + 12 804DA40E 3 Bytes [A5, 56, 80]
.text ntoskrnl.exe!memcpy + 39 804DAABB 3 Bytes [AB, 4D, 80]
.text ntoskrnl.exe!memcpy + 51 804DAAD3 3 Bytes [AA, 4D, 80]
.text ntoskrnl.exe!memcpy + 58 804DAADA 3 Bytes [AB, 4D, 80]
.text ntoskrnl.exe!memcpy + 60 804DAAE2 3 Bytes [AB, 4D, 80]
.text ntoskrnl.exe!memcpy + 67 804DAAE9 3 Bytes [AA, 4D, 80]
.text ...
.text ntoskrnl.exe!memmove + 39 804DADFE 3 Bytes [AF, 4D, 80]
.text ntoskrnl.exe!memmove + 51 804DAE16 3 Bytes [AE, 4D, 80]
.text ntoskrnl.exe!memmove + 58 804DAE1D 3 Bytes [AF, 4D, 80]
.text ntoskrnl.exe!memmove + 60 804DAE25 3 Bytes [AE, 4D, 80]
.text ntoskrnl.exe!memmove + 68 804DAE2D 3 Bytes [AE, 4D, 80]
.text ...
.text ntoskrnl.exe!strspn + 45 804DB61C 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeSynchronizeExecution + B 804DB695 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeSynchronizeExecution + 2A 804DB6B4 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeSynchronizeExecution + 59 804DB6E3 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeSynchronizeExecution + 6D 804DB6F7 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeSynchronizeExecution + 84 804DB70E 3 Bytes [A4, 56, 80]
.text ...
.text ntoskrnl.exe!KiUnexpectedInterrupt + 44 804DBB38 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KiUnexpectedInterrupt + 50 804DBB44 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KiUnexpectedInterrupt + 60 804DBB54 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KiUnexpectedInterrupt + 7B 804DBB6F 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KiUnexpectedInterrupt + 93 804DBB87 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!Exi386InterlockedExchangeUlong + F 804DC081 3 Bytes [C0, 4D, 80]
.text ntoskrnl.exe!Exi386InterlockedExchangeUlong + 17 804DC089 3 Bytes [C1, 4D, 80]
.text ntoskrnl.exe!IoGetStackLimits + 45 804DC259 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!IoGetStackLimits + 56 804DC26A 3 Bytes [9E, 55, 80]
.text ntoskrnl.exe!IoGetStackLimits + 83 804DC297 3 Bytes [82, 4D, 80]
.text ntoskrnl.exe!IoGetStackLimits + 91 804DC2A5 3 Bytes [2D, 56, 80]
.text ntoskrnl.exe!KeWaitForMutexObject + 32 804DC432 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeWaitForMutexObject + AE 804DC4AE 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!KeWaitForMutexObject + 186 804DC586 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExReleaseResourceLite + 1E 804DC5B7 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExReleaseResourceLite + 69 804DC602 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExReleaseResourceLite + E7 804DC680 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!ExReleaseResourceLite + 124 804DC6BD 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!ExReleaseResourceLite + 13C 804DC6D5 3 Bytes [9E, 55, 80]
.text ...
.text ntoskrnl.exe!KiDispatchInterrupt + 4A 804DC8AC 3 Bytes [98, 55, 80]
.text ntoskrnl.exe!KiDispatchInterrupt + 65 804DC8C7 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KiDispatchInterrupt + 111 804DC973 3 Bytes [A4, 56, 80]
.text ntoskrnl.exe!KiDispatchInterrupt + 206 804DCA68 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KiDispatchInterrupt + 269 804DCACB 3 Bytes [A4, 56, 80]
.text ...
.text ntoskrnl.exe!KiDeliverApc + 14 804DCE15 3 Bytes [13, 4E, 80] {ADC ECX, [ESI-0x80]}
.text ntoskrnl.exe!KiDeliverApc + 4B 804DCE4C 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KiDeliverApc + 70 804DCE71 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KiDeliverApc + 87A 804DD67B 3 Bytes [D6, 4D, 80]
.text ntoskrnl.exe!KiDeliverApc + 87E 804DD67F 3 Bytes [E1, 4D, 80]
.text ...
.text ntoskrnl.exe!Kei386EoiHelper + 2B 804DE254 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!Kei386EoiHelper + 3E 804DE267 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!Kei386EoiHelper + 228 804DE451 3 Bytes [DB, 4D, 80] {FISTTP DWORD [EBP-0x80]}
.text ntoskrnl.exe!Kei386EoiHelper + 3BC 804DE5E5 3 Bytes [D8, 4D, 80] {FMUL DWORD [EBP-0x80]}
.text ntoskrnl.exe!Kei386EoiHelper + 4E8 804DE711 3 Bytes [D8, 4D, 80] {FMUL DWORD [EBP-0x80]}
.text ...
.text ntoskrnl.exe!KiCoprocessorError + A3 804E11DC 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KiCoprocessorError + E0 804E1219 3 Bytes [9A, 55, 80]
.text ntoskrnl.exe!ZwRaiseException + 54 804E12C9 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!ZwRaiseException + 71 804E12E6 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!IofCallDriver + 3 804E13AA 3 Bytes [B7, 55, 80]
.text ntoskrnl.exe!IofCallDriver + 9F 804E1446 3 Bytes [25, 56, 80]
.text ntoskrnl.exe!KeDelayExecutionThread + 2C 804E1510 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeDelayExecutionThread + 88 804E156C 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!KeDelayExecutionThread + 10B 804E15EF 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KeDelayExecutionThread + 111 804E15F5 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KeDelayExecutionThread + 11C 804E1600 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!IofCompleteRequest + 3 804E17C0 3 Bytes [B7, 55, 80]
.text ntoskrnl.exe!ObfDereferenceObject + 3 804E1913 3 Bytes [BD, 55, 80]
.text ntoskrnl.exe!ObfDereferenceObject + 28 804E1938 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ObfDereferenceObject + 36 804E1946 3 Bytes [BD, 55, 80]
.text ntoskrnl.exe!ExAcquireResourceSharedLite + 1F 804E197F 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExAcquireResourceSharedLite + 3D 804E199D 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeWaitForMultipleObjects + 41 804E1A54 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeWaitForMultipleObjects + 7D 804E1A90 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!KeWaitForMultipleObjects + 1CA 804E1BDD 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeWaitForMultipleObjects + 269 804E1C7C 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!MmCreateSection + 4E 804E1CEE 3 Bytes [7B, 55, 80]
.text ntoskrnl.exe!MmCreateSection + B7 804E1D57 3 Bytes [A4, 56, 80]
.text ntoskrnl.exe!MmCreateSection + 12A 804E1DCA 3 Bytes [7C, 56, 80]
.text ntoskrnl.exe!MmCreateSection + 218 804E1EB8 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmCreateSection + 23A 804E1EDA 3 Bytes [79, 56, 80]
.text ...
.text ntoskrnl.exe!MmIsAddressValid + 87 804E1FDD 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!MmIsAddressValid + AC 804E2002 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!MmIsAddressValid + E0 804E2036 3 Bytes [25, 56, 80]
.text ntoskrnl.exe!KeSetEvent + D 804E2096 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeSetTimerEx + E 804E20FC 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeRemoveQueue + 2F 804E21C3 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeRemoveQueue + 93 804E2227 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!KeRemoveQueue + 18B 804E231F 3 Bytes [A5, 56, 80]
.text ntoskrnl.exe!KeRemoveQueue + 1B3 804E2347 3 Bytes [A5, 56, 80]
.text ntoskrnl.exe!KeRemoveQueue + 233 804E23C7 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!KiReleaseSpinLock + 18 804E2490 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KiReleaseSpinLock + 42 804E24BA 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KdPollBreakIn + D 804E2598 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KdPollBreakIn + 1D 804E25A8 3 Bytes [17, 56, 80]
.text ntoskrnl.exe!KdPollBreakIn + 2B 804E25B6 3 Bytes [97, 55, 80]
.text ntoskrnl.exe!KeUpdateSystemTime + 1C 804E2604 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!KeUpdateSystemTime + 21 804E2609 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!KeUpdateSystemTime + 3A 804E2622 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!KeUpdateSystemTime + 50 804E2638 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!KeUpdateSystemTime + 5C 804E2644 3 Bytes [A0, 55, 80]
.text ...
.text ntoskrnl.exe!KeUpdateRunTime + 7A 804E27EE 3 Bytes [25, 56, 80]
.text ntoskrnl.exe!KeUpdateRunTime + 89 804E27FD 3 Bytes [25, 56, 80]
.text ntoskrnl.exe!KeUpdateRunTime + D8 804E284C 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeUpdateRunTime + EA 804E285E 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!KeUpdateRunTime + F6 804E286A 3 Bytes [A0, 55, 80]
.text ...
.text ntoskrnl.exe!KeProfileInterruptWithSource + E 804E28E4 3 Bytes [A4, 56, 80]
.text ntoskrnl.exe!KeProfileInterruptWithSource + 27 804E28FD 3 Bytes [9A, 55, 80]
.text ntoskrnl.exe!KeProfileInterruptWithSource + 38 804E290E 3 Bytes [78, 55, 80]
.text ntoskrnl.exe!KeProfileInterruptWithSource + 40 804E2916 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KeProfileInterruptWithSource + 106 804E29DC 3 Bytes [9A, 55, 80]
.text ntoskrnl.exe!DbgBreakPointWithStatus + DA 804E2B28 3 Bytes [A4, 56, 80]
.text ntoskrnl.exe!DbgBreakPointWithStatus + 123 804E2B71 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!_CIsqrt + 41 804E2BED 3 Bytes [F0, 55, 80]
.text ntoskrnl.exe!_CIsqrt + 53 804E2BFF 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!_CIsqrt + 95 804E2C41 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!_CIsqrt + A0 804E2C4C 3 Bytes [F0, 55, 80]
.text ntoskrnl.exe!_CIsqrt + B2 804E2C5E 3 Bytes [A3, 55, 80]
.text ...
.text ntoskrnl.exe!_global_unwind2 + D 804E2FE6 3 Bytes [2F, 4E, 80]
.text ntoskrnl.exe!_local_unwind2 + D 804E3041 3 Bytes [2F, 4E, 80]
.text ntoskrnl.exe!_abnormal_termination + D 804E30B1 3 Bytes [2F, 4E, 80]
.text ntoskrnl.exe!_abnormal_termination + 27 804E30CB 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!_abnormal_termination + 30 804E30D4 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!ZwYieldExecution + 117 804E4951 7 Bytes [7C, 63, 80, 7E, F8, 63, F7]
.text ntoskrnl.exe!ZwYieldExecution + 18F 804E49C9 7 Bytes [FB, 64, 80, A2, DC, 4C, F7]
.text ntoskrnl.exe!ZwYieldExecution + 197 804E49D1 7 Bytes [FB, 64, 80, 30, E0, 4C, F7]
.text ntoskrnl.exe!ZwYieldExecution + 1BF 804E49F9 3 Bytes CALL 9425CA60
.text ntoskrnl.exe!ZwYieldExecution + 203 804E4A3D 3 Bytes JMP 50B1CA9E
.text ...
.text ntoskrnl.exe!RtlPrefetchMemoryNonTemporal + 3 804E5514 3 Bytes [78, 55, 80]
.text ntoskrnl.exe!RtlPrefetchMemoryNonTemporal + 21 804E5532 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!RtlPrefetchMemoryNonTemporal + 27 804E5538 3 Bytes [55, 4E, 80]
.text ntoskrnl.exe!RtlPrefetchMemoryNonTemporal + 2D 804E553E 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!RtlPrefetchMemoryNonTemporal + 37 804E5548 3 Bytes [55, 4E, 80]
.text ...
.text ntoskrnl.exe!_CIcos + 2F 804E5782 3 Bytes [58, 4E, 80]
.text ntoskrnl.exe!_CIcos + 3D 804E5790 3 Bytes [F0, 55, 80]
.text ntoskrnl.exe!_CIcos + 4F 804E57A2 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!_CIcos + 5A 804E57AD 3 Bytes [58, 4E, 80]
.text ntoskrnl.exe!_CIcos + 87 804E57DA 3 Bytes [A3, 55, 80]
.text ...
.text ntoskrnl.exe!_CIsin + 2F 804E583B 3 Bytes [58, 4E, 80]
.text ntoskrnl.exe!_CIsin + 3D 804E5849 3 Bytes [F0, 55, 80]
.text ntoskrnl.exe!_CIsin + 4F 804E585B 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!_CIsin + 5A 804E5866 3 Bytes [58, 4E, 80]
.text ntoskrnl.exe!_CIsin + 87 804E5893 3 Bytes [A3, 55, 80]
.text ...
.text ntoskrnl.exe!KeQueryTimeIncrement + 2 804E5A20 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!KeInsertQueue + C 804E5AA5 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeInsertQueue + 47 804E5AE0 3 Bytes [AE, 69, 80]
.text ntoskrnl.exe!KeInsertQueue + 54 804E5AED 3 Bytes [AE, 69, 80]
.text ntoskrnl.exe!KeInsertQueue + 64 804E5AFD 3 Bytes [98, 56, 80]
.text ntoskrnl.exe!KeInsertQueue + 9C 804E5B35 3 Bytes [79, 56, 80]
.text ...
.text ntoskrnl.exe!KeQueryInterruptTime + 24 804E5C69 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KeInsertQueueApc + 1D 804E5CEC 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeInsertQueueApc + 6A 804E5D39 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeInsertQueueApc + 79 804E5D48 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KeInsertQueueApc + 82 804E5D51 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KeInsertQueueApc + 8C 804E5D5B 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!IoGetCurrentProcess + 46 804E5E5C 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!IoGetCurrentProcess + 87 804E5E9D 3 Bytes [01, 60, 80] {ADD [EAX-0x80], ESP}
.text ntoskrnl.exe!IoGetCurrentProcess + 8B 804E5EA1 3 Bytes [01, 60, 80] {ADD [EAX-0x80], ESP}
.text ntoskrnl.exe!IoGetCurrentProcess + 93 804E5EA9 3 Bytes [01, 60, 80] {ADD [EAX-0x80], ESP}
.text ntoskrnl.exe!IoGetCurrentProcess + 97 804E5EAD 3 Bytes [01, 60, 80] {ADD [EAX-0x80], ESP}
.text ...
.text ntoskrnl.exe!IoStartPacket + E 804E608F 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!IoStartPacket + 5E 804E60DF 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeCancelTimer + B 804E61B0 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeCancelTimer + 55 804E61FA 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoQueueWorkItem + 41 804E62A0 3 Bytes [91, 56, 80]
.text ntoskrnl.exe!IoQueueWorkItem + 47 804E62A6 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoQueueWorkItem + 4D 804E62AC 3 Bytes [90, 56, 80]
.text ntoskrnl.exe!IoQueueWorkItem + 53 804E62B2 3 Bytes [90, 56, 80]
.text ntoskrnl.exe!IoQueueWorkItem + 81 804E62E0 3 Bytes [C3, 55, 80]
.text ...
.text ntoskrnl.exe!KeSetEventBoostPriority + 14 804E68B0 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeSetEventBoostPriority + BB 804E6957 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KeSetEventBoostPriority + C4 804E6960 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KeSetEventBoostPriority + CE 804E696A 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!PsGetCurrentProcessId + 19 804E6990 3 Bytes [6B, 4E, 80]
.text ntoskrnl.exe!PsGetCurrentProcessId + 35 804E69AC 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PsGetCurrentProcessId + 3F 804E69B6 3 Bytes [AB, 55, 80]
.text ntoskrnl.exe!PsGetCurrentProcessId + 55 804E69CC 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!PsGetCurrentProcessId + 5B 804E69D2 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ...
.text ntoskrnl.exe!PsGetProcessWin32Process + 1B 804E6BC5 3 Bytes [32, 61, 80] {XOR AH, [ECX-0x80]}
.text ntoskrnl.exe!PsGetProcessWin32Process + 1F 804E6BC9 3 Bytes [32, 61, 80] {XOR AH, [ECX-0x80]}
.text ntoskrnl.exe!PsGetProcessWin32Process + 2B 804E6BD5 3 Bytes [34, 61, 80]
.text ntoskrnl.exe!PsGetProcessWin32Process + 2F 804E6BD9 3 Bytes [34, 61, 80]
.text ntoskrnl.exe!PsGetProcessWin32Process + 37 804E6BE1 3 Bytes [13, 5E, 80] {ADC EBX, [ESI-0x80]}
.text ...
.text ntoskrnl.exe!KeReadStateTimer + 44 804E6C3D 3 Bytes [02, 60, 80] {ADD AH, [EAX-0x80]}
.text ntoskrnl.exe!KeReadStateTimer + 48 804E6C41 3 Bytes [02, 60, 80] {ADD AH, [EAX-0x80]}
.text ntoskrnl.exe!KeReadStateTimer + 50 804E6C49 3 Bytes [02, 60, 80] {ADD AH, [EAX-0x80]}
.text ntoskrnl.exe!KeReadStateTimer + 54 804E6C4D 3 Bytes [02, 60, 80] {ADD AH, [EAX-0x80]}
.text ntoskrnl.exe!KeReadStateTimer + 6A 804E6C63 3 Bytes [97, 56, 80]
.text ...
.text ntoskrnl.exe!ZwSetTimer + 4 804E7A39 3 Bytes CALL 68CEC8B9
.text ntoskrnl.exe!ZwSetTimer + 40 804E7A75 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!ZwSetTimer + 71 804E7AA6 3 Bytes [A4, 56, 80]
.text ntoskrnl.exe!ZwSetTimer + A5 804E7ADA 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ZwSetTimer + D6 804E7B0B 3 Bytes [A4, 56, 80]
.text ...
.text ntoskrnl.exe!KeInitializeEvent + 71 804E7E37 3 Bytes [9F, 55, 80]
.text ntoskrnl.exe!KeInitializeEvent + C5 804E7E8B 3 Bytes [95, 56, 80]
.text ntoskrnl.exe!KeInitializeEvent + E3 804E7EA9 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!KeInitializeEvent + F3 804E7EB9 3 Bytes [A4, 56, 80]
.text ntoskrnl.exe!KeInitializeEvent + 10D 804E7ED3 3 Bytes [BC, 55, 80]
.text ...
.text ntoskrnl.exe!_wcsicmp + 5D 804E815D 3 Bytes [70, 60, 80]
.text ntoskrnl.exe!_wcsicmp + 61 804E8161 3 Bytes [70, 60, 80]
.text ntoskrnl.exe!_wcsicmp + 71 804E8171 3 Bytes [62, 61, 80] {BOUND ESP, [ECX-0x80]}
.text ntoskrnl.exe!_wcsicmp + 79 804E8179 3 Bytes [63, 61, 80] {ARPL [ECX-0x80], SP}
.text ntoskrnl.exe!_wcsicmp + 7D 804E817D 3 Bytes [63, 61, 80] {ARPL [ECX-0x80], SP}
.text ...
.text ntoskrnl.exe!IoReleaseCancelSpinLock + E 804E81AB 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoAcquireCancelSpinLock + B 804E81C2 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoAcquireCancelSpinLock + 34 804E81EB 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!IoAcquireCancelSpinLock + 84 804E823B 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoAcquireCancelSpinLock + A0 804E8257 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!IoAcquireCancelSpinLock + A8 804E825F 3 Bytes [31, 56, 80] {XOR [ESI-0x80], EDX}
.text ...
.text ntoskrnl.exe!IoThreadToProcess + 15 804E83F5 3 Bytes [13, 4E, 80] {ADC ECX, [ESI-0x80]}
.text ntoskrnl.exe!IoGetTopLevelIrp + 3E 804E84D0 3 Bytes [AA, 55, 80]
.text ntoskrnl.exe!KeResetEvent + B 804E8510 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeResetEvent + 50 804E8555 3 Bytes [BC, 55, 80]
.text ntoskrnl.exe!KeResetEvent + 59 804E855E 3 Bytes [79, 55, 80]
.text ntoskrnl.exe!KeResetEvent + 6B 804E8570 3 Bytes [79, 55, 80]
.text ntoskrnl.exe!KeResetEvent + 8F 804E8594 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!PsReturnPoolQuota + E 804E86E3 3 Bytes [97, 56, 80]
.text ntoskrnl.exe!ExAllocatePoolWithQuotaTag + 20 804E8782 3 Bytes [BB, 56, 80]
.text ntoskrnl.exe!ExAllocatePoolWithQuotaTag + 2C 804E878E 3 Bytes [07, 56, 80]
.text ntoskrnl.exe!ExAllocatePoolWithQuotaTag + 60 804E87C2 3 Bytes [F0, 55, 80]
.text ntoskrnl.exe!ExAllocatePoolWithQuotaTag + 7A 804E87DC 3 Bytes [97, 56, 80]
.text ntoskrnl.exe!PsChargeProcessPoolQuota + D 804E8834 3 Bytes [97, 56, 80]
.text ntoskrnl.exe!PsChargeProcessPoolQuota + 9E 804E88C5 3 Bytes [89, 60, 80] {MOV [EAX-0x80], ESP}
.text ntoskrnl.exe!PsChargeProcessPoolQuota + A2 804E88C9 3 Bytes [89, 60, 80] {MOV [EAX-0x80], ESP}
.text ntoskrnl.exe!KeInitializeSemaphore + 59 804E892A 3 Bytes [7C, 56, 80]
.text ntoskrnl.exe!KeInitializeSemaphore + 5F 804E8930 3 Bytes [79, 55, 80]
.text ntoskrnl.exe!KeInitializeSemaphore + 70 804E8941 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!KeInitializeSemaphore + 7E 804E894F 3 Bytes [7C, 56, 80]
.text ntoskrnl.exe!KeInitializeSemaphore + C6 804E8997 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!KeReleaseSemaphore + E 804E90BC 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeReleaseSemaphore + 88 804E9136 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeReleaseSemaphore + BF 804E916D 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeReleaseSemaphore + EF 804E919D 3 Bytes [A1, 5F, 80]
.text ntoskrnl.exe!KeReleaseSemaphore + F3 804E91A1 3 Bytes [A1, 5F, 80]
.text ...
.text ntoskrnl.exe!ExAllocateFromPagedLookasideList + 26 804E923D 3 Bytes [85, 60, 80] {TEST [EAX-0x80], ESP}
.text ntoskrnl.exe!ExAllocateFromPagedLookasideList + 2A 804E9241 3 Bytes [85, 60, 80] {TEST [EAX-0x80], ESP}
.text ntoskrnl.exe!ExAllocateFromPagedLookasideList + 36 804E924D 3 Bytes [09, 58, 80] {OR [EAX-0x80], EBX}
.text ntoskrnl.exe!ExAllocateFromPagedLookasideList + 42 804E9259 3 Bytes [83, 60, 80]
.text ntoskrnl.exe!ExAllocateFromPagedLookasideList + 4E 804E9265 3 Bytes [70, 60, 80]
.text ...
.text ntoskrnl.exe!IoSetThreadHardErrorMode + 7D 804E94DD 3 Bytes [31, 60, 80] {XOR [EAX-0x80], ESP}
.text ntoskrnl.exe!IoSetThreadHardErrorMode + 81 804E94E1 3 Bytes [31, 60, 80] {XOR [EAX-0x80], ESP}
.text ntoskrnl.exe!IoSetThreadHardErrorMode + 89 804E94E9 3 Bytes [32, 60, 80] {XOR AH, [EAX-0x80]}
.text ntoskrnl.exe!IoSetThreadHardErrorMode + 8D 804E94ED 3 Bytes JMP FF806032
.text ntoskrnl.exe!IoSetThreadHardErrorMode + 95 804E94F5 3 Bytes [32, 60, 80] {XOR AH, [EAX-0x80]}
.text ...
.text ntoskrnl.exe!KeFlushEntireTb + 14 804E9BE9 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeFlushEntireTb + 22 804E9BF7 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KeFlushEntireTb + 30 804E9C05 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KeFlushEntireTb + 49 804E9C1E 3 Bytes [9C, 4E, 80]
.text ntoskrnl.exe!KeFlushEntireTb + 68 804E9C3D 3 Bytes [9F, 55, 80]
.text ...
.text ntoskrnl.exe!ExDeleteResourceLite + 9 804E9E7B 3 Bytes [93, 55, 80]
.text ntoskrnl.exe!ExDeleteResourceLite + 12 804E9E84 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExDeleteResourceLite + 29 804E9E9B 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExInitializeResourceLite + 1F 804E9EEE 3 Bytes [07, 56, 80]
.text ntoskrnl.exe!ExInitializeResourceLite + 2F 804E9EFE 3 Bytes [93, 55, 80]
.text ntoskrnl.exe!ExInitializeResourceLite + 36 804E9F05 3 Bytes [BB, 56, 80]
.text ntoskrnl.exe!ExInitializeResourceLite + 7E 804E9F4D 3 Bytes [9F, 4E, 80]
.text ntoskrnl.exe!ExInitializeResourceLite + 8F 804E9F5E 3 Bytes [80, 4D, 80]
.text ...
.text ntoskrnl.exe!wcscmp + 40 804EA11D 3 Bytes [71, 60, 80]
.text ntoskrnl.exe!wcscmp + 44 804EA121 3 Bytes [71, 60, 80]
.text ntoskrnl.exe!PsGetThreadFreezeCount + 3F 804EA19F 3 Bytes [90, 56, 80]
.text ntoskrnl.exe!PsGetThreadFreezeCount + 5A 804EA1BA 3 Bytes [A4, 56, 80]
.text ntoskrnl.exe!PsGetThreadFreezeCount + 60 804EA1C0 3 Bytes [A4, 56, 80]
.text ntoskrnl.exe!PsGetThreadFreezeCount + 6A 804EA1CA 3 Bytes [A4, 56, 80]
.text ntoskrnl.exe!PsGetThreadFreezeCount + 14D 804EA2AD 3 Bytes [AD, 5F, 80]
.text ...
.text ntoskrnl.exe!PsGetCurrentProcessSessionId + 14 804EA47D 3 Bytes [CA, 5F, 80] {RETF 0x805f}
.text ntoskrnl.exe!PsGetCurrentProcessSessionId + 18 804EA481 3 Bytes [CA, 5F, 80] {RETF 0x805f}
.text ntoskrnl.exe!PsGetProcessPeb + 35 804EA4DD 3 Bytes [34, 61, 80]
.text ntoskrnl.exe!PsGetProcessPeb + 39 804EA4E1 3 Bytes [34, 61, 80]
.text ntoskrnl.exe!PsGetProcessPeb + 4D 804EA4F5 3 Bytes [AC, 61, 80]
.text ntoskrnl.exe!PsGetProcessPeb + 51 804EA4F9 3 Bytes [AC, 61, 80]
.text ntoskrnl.exe!PsGetProcessPeb + 5D 804EA505 3 Bytes [81, 61, 80]
.text ...
.text ntoskrnl.exe!ObReferenceObjectByPointer + 1B 804EA59C 3 Bytes [BD, 55, 80]
.text ntoskrnl.exe!ObReferenceObjectByPointer + 3C 804EA5BD 3 Bytes [AD, 60, 80]
.text ntoskrnl.exe!ObReferenceObjectByPointer + 40 804EA5C1 3 Bytes [AD, 60, 80]
.text ntoskrnl.exe!ObReferenceObjectByPointer + 48 804EA5C9 3 Bytes [AD, 60, 80]
.text ntoskrnl.exe!ObReferenceObjectByPointer + 4C 804EA5CD 3 Bytes [AD, 60, 80]
.text ...
.text ntoskrnl.exe!RtlClearBits + 30 804EA9B5 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!RtlClearBits + C7 804EAA4C 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!RtlClearBits + D6 804EAA5B 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!RtlClearBits + 113 804EAA98 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!RtlClearBits + 122 804EAAA7 3 Bytes [A9, 4E, 80]
.text ...
.text ntoskrnl.exe!IoAcquireRemoveLockEx + 36 804EAD3C 3 Bytes [AE, 4E, 80]
.text ntoskrnl.exe!IoAcquireRemoveLockEx + 40 804EAD46 3 Bytes [0C, 56, 80]
.text ntoskrnl.exe!IoAcquireRemoveLockEx + 76 804EAD7C 3 Bytes [0E, 56, 80]
.text ntoskrnl.exe!IoAcquireRemoveLockEx + C9 804EADCF 3 Bytes [0C, 56, 80]
.text ntoskrnl.exe!IoAcquireRemoveLockEx + 17F 804EAE85 3 Bytes [06, 52, 80]
.text ...
.text ntoskrnl.exe!IoFreeIrp + 9 804EAF4B 3 Bytes [B7, 55, 80]
.text ntoskrnl.exe!IoFreeIrp + 42 804EAF84 3 Bytes [0D, 56, 80]
.text ntoskrnl.exe!IoAllocateIrp + 9 804EAFA6 3 Bytes [B7, 55, 80]
.text ntoskrnl.exe!ExIsResourceAcquiredSharedLite + 1E 804EB010 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExIsResourceAcquiredSharedLite + 42 804EB034 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExIsResourceAcquiredSharedLite + 23E 804EB230 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!ExIsResourceAcquiredSharedLite + 24A 804EB23C 3 Bytes [F0, 55, 80]
.text ntoskrnl.exe!ExIsResourceAcquiredSharedLite + 25B 804EB24D 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ...
.text ntoskrnl.exe!KeSetPriorityThread + C 804EC208 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeSetPriorityThread + 5A 804EC256 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeSetPriorityThread + 8B 804EC287 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeTerminateThread + 1E 804EC328 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeTerminateThread + 34 804EC33E 3 Bytes [96, 56, 80]
.text ntoskrnl.exe!KeTerminateThread + 40 804EC34A 3 Bytes [96, 56, 80]
.text ntoskrnl.exe!KeTerminateThread + 47 804EC351 3 Bytes [96, 56, 80]
.text ntoskrnl.exe!KeTerminateThread + 50 804EC35A 3 Bytes [96, 56, 80]
.text ...
.text ntoskrnl.exe!KeInitializeTimerEx + 41 804EC534 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeInitializeTimerEx + 62 804EC555 3 Bytes [90, 5F, 80]
.text ntoskrnl.exe!KeInitializeTimerEx + 66 804EC559 3 Bytes [90, 5F, 80]
.text ntoskrnl.exe!KeInitializeTimerEx + 72 804EC565 3 Bytes [4A, 60, 80]
.text ntoskrnl.exe!KeInitializeTimerEx + 76 804EC569 3 Bytes [4A, 60, 80]
.text ...
.text ntoskrnl.exe!ZwCancelTimer + 4 804EC826 3 Bytes [C8, 4E, 80]
.text ntoskrnl.exe!ZwCancelTimer + 33 804EC855 3 Bytes [A4, 56, 80]
.text ntoskrnl.exe!ZwCancelTimer + 53 804EC875 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ZwCancelTimer + 86 804EC8A8 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ZwCancelTimer + BB 804EC8DD 3 Bytes [CC, 52, 80]
.text ...
.text ntoskrnl.exe!FsRtlGetNextLargeMcbEntry + 4 804EC8F9 3 Bytes [C9, 4E, 80]
.text ntoskrnl.exe!FsRtlGetNextLargeMcbEntry + 17 804EC90C 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlGetNextLargeMcbEntry + A4 804EC999 3 Bytes [C9, 4E, 80]
.text ntoskrnl.exe!FsRtlGetNextLargeMcbEntry + B4 804EC9A9 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlResetLargeMcb + 9A 804ECA9A 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlResetLargeMcb + D2 804ECAD2 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!FsRtlResetLargeMcb + DB 804ECADB 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!FsRtlResetLargeMcb + E2 804ECAE2 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!FsRtlResetLargeMcb + F0 804ECAF0 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!FsRtlLookupLargeMcbEntry + 4 804ECCF9 3 Bytes [CD, 4E, 80]
.text ntoskrnl.exe!FsRtlLookupLargeMcbEntry + 17 804ECD0C 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlLookupLargeMcbEntry + BC 804ECDB1 3 Bytes [CD, 4E, 80]
.text ntoskrnl.exe!FsRtlLookupLargeMcbEntry + CC 804ECDC1 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcFlushCache + 33 804ECEFA 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcFlushCache + 4E 804ECF15 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcFlushCache + 79 804ECF40 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcFlushCache + 133 804ECFFA 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcFlushCache + 149 804ED010 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!IoGetBaseFileSystemDeviceObject + 51 804ED34E 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!IoGetBaseFileSystemDeviceObject + 7E 804ED37B 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!IoGetBaseFileSystemDeviceObject + C4 804ED3C1 3 Bytes [7A, 55, 80]
.text ntoskrnl.exe!IoGetBaseFileSystemDeviceObject + E5 804ED3E2 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoGetBaseFileSystemDeviceObject + EE 804ED3EB 3 Bytes [BC, 55, 80]
.text ...
.text ntoskrnl.exe!KeQueryTickCount + 8 804ED97D 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!KeQueryTickCount + 14 804ED989 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!KeQueryTickCount + 1C 804ED991 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!KeQueryTickCount + 8F 804EDA04 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeQueryTickCount + F8 804EDA6D 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!MmBuildMdlForNonPagedPool + 7B 804EDF17 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmMapLockedPagesSpecifyCache + 43 804EDF6F 3 Bytes [30, 56, 80] {XOR [ESI-0x80], DL}
.text ntoskrnl.exe!MmMapLockedPagesSpecifyCache + 75 804EDFA1 3 Bytes [7B, 55, 80]
.text ntoskrnl.exe!MmMapLockedPagesSpecifyCache + 9A 804EDFC6 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!MmMapLockedPagesSpecifyCache + EC 804EE018 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmMapLockedPagesSpecifyCache + 147 804EE073 3 Bytes [BC, 55, 80]
.text ntoskrnl.exe!MmUnmapLockedPages + C 804EE0A4 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmUnmapLockedPages + 4A 804EE0E2 3 Bytes [BC, 55, 80]
.text ntoskrnl.exe!IoBuildPartialMdl + 218 804EE32A 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!IoBuildPartialMdl + 285 804EE397 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoBuildPartialMdl + 334 804EE446 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoBuildPartialMdl + 3A8 804EE4BA 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoBuildPartialMdl + 43E 804EE550 3 Bytes [79, 55, 80]
.text ...
.text ntoskrnl.exe!IoSynchronousPageWrite + 1E 804EEC14 3 Bytes [F5, 55, 80]
.text ntoskrnl.exe!IoSynchronousPageWrite + 2F 804EEC25 3 Bytes [F5, 55, 80]
.text ntoskrnl.exe!IoSynchronousPageWrite + 48 804EEC3E 3 Bytes [B7, 55, 80]
.text ntoskrnl.exe!IoSynchronousPageWrite + A9 804EEC9F 3 Bytes [B7, 55, 80]
.text ntoskrnl.exe!IoSynchronousPageWrite + FA 804EECF0 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!MmSetAddressRangeModified + 17 804EF032 3 Bytes [83, 4D, 80]
.text ntoskrnl.exe!MmSetAddressRangeModified + 47 804EF062 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmSetAddressRangeModified + 5A 804EF075 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmSetAddressRangeModified + CE 804EF0E9 3 Bytes [83, 4D, 80]
.text ntoskrnl.exe!MmSetAddressRangeModified + E7 804EF102 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!ExAcquireSharedStarveExclusive + 1F 804EF377 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExAcquireSharedStarveExclusive + 41 804EF399 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExDisableResourceBoostLite + 15 804EF3BF 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExDisableResourceBoostLite + 22 804EF3CC 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcSetDirtyPinnedData + 4C 804EF474 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcSetDirtyPinnedData + AE 804EF4D6 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcSetDirtyPinnedData + FB 804EF523 3 Bytes [AB, 55, 80]
.text ntoskrnl.exe!CcSetDirtyPinnedData + 120 804EF548 3 Bytes [F5, 4E, 80]
.text ntoskrnl.exe!CcSetDirtyPinnedData + 1D1 804EF5F9 3 Bytes [D3, 51, 80] {RCL DWORD [ECX-0x80], CL}
.text ...
.text ntoskrnl.exe!ExSetResourceOwnerPointer + 1E 804EFC12 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExSetResourceOwnerPointer + 40 804EFC34 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExSetResourceOwnerPointer + DB 804EFCCF 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExSetResourceOwnerPointer + 105 804EFCF9 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExSetResourceOwnerPointer + 1D9 804EFDCD 3 Bytes [AB, 55, 80]
.text ...
.text ntoskrnl.exe!ExReleaseResourceForThreadLite + 17 804EFF1B 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExReleaseResourceForThreadLite + 5F 804EFF63 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExReleaseResourceForThreadLite + 78 804EFF7C 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcGetDirtyPages + 4 804EFFF8 3 Bytes [00, 4F, 80] {ADD [EDI-0x80], CL}
.text ntoskrnl.exe!CcGetDirtyPages + 1D 804F0011 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcGetDirtyPages + 26 804F001A 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcGetDirtyPages + 37 804F002B 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcGetDirtyPages + 6D 804F0061 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!RtlSetBits + 30 804F040D 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!RtlFindClearBits + 29 804F0456 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!RtlFindClearBits + 6C 804F0499 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!RtlFindClearBits + 9A 804F04C7 3 Bytes [02, 4F, 80] {ADD CL, [EDI-0x80]}
.text ntoskrnl.exe!RtlFindClearBits + A4 804F04D1 3 Bytes [01, 4F, 80] {ADD [EDI-0x80], ECX}
.text ntoskrnl.exe!RtlFindClearBits + B5 804F04E2 3 Bytes [05, 4F, 80]
.text ...
.text ntoskrnl.exe!PsChargeProcessNonPagedPoolQuota + C 804F07D7 3 Bytes [97, 56, 80]
.text ntoskrnl.exe!PsChargeProcessNonPagedPoolQuota + B8 804F0883 3 Bytes [78, 55, 80]
.text ntoskrnl.exe!PsChargeProcessNonPagedPoolQuota + D9 804F08A4 3 Bytes [31, 56, 80] {XOR [ESI-0x80], EDX}
.text ntoskrnl.exe!PsChargeProcessNonPagedPoolQuota + 145 804F0910 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PsChargeProcessNonPagedPoolQuota + 170 804F093B 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!PsGetThreadTeb + 12 804F0A32 3 Bytes [78, 56, 80]
.text ntoskrnl.exe!PsGetThreadTeb + 1D 804F0A3D 3 Bytes [79, 56, 80]
.text ntoskrnl.exe!PsGetThreadTeb + 3C 804F0A5C 3 Bytes [2F, 56, 80]
.text ntoskrnl.exe!PsGetThreadTeb + 48 804F0A68 3 Bytes [7C, 56, 80]
.text ntoskrnl.exe!PsGetThreadTeb + 4D 804F0A6D 3 Bytes [7C, 56, 80]
.text ...
.text ntoskrnl.exe!RtlFindClearBitsAndSet + 36 804F0ABE 3 Bytes [79, 56, 80]
.text ntoskrnl.exe!RtlFindClearBitsAndSet + 3E 804F0AC6 3 Bytes [78, 56, 80]
.text ntoskrnl.exe!RtlFindClearBitsAndSet + 46 804F0ACE 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!RtlFindClearBitsAndSet + 4E 804F0AD6 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!RtlFindClearBitsAndSet + 59 804F0AE1 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!RtlSetBit + 89 804F0C2E 3 Bytes [69, 4E, 80]
.text ntoskrnl.exe!RtlSetBit + B4 804F0C59 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!RtlSetBit + DA 804F0C7F 3 Bytes [79, 55, 80]
.text ntoskrnl.exe!RtlSetBit + E6 804F0C8B 3 Bytes [7C, 56, 80]
.text ntoskrnl.exe!RtlSetBit + F7 804F0C9C 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!PsReturnProcessNonPagedPoolQuota + E 804F1417 3 Bytes [97, 56, 80]
.text ntoskrnl.exe!PsReturnProcessNonPagedPoolQuota + 92 804F149B 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PsReturnProcessNonPagedPoolQuota + AE 804F14B7 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeAttachProcess + 37 804F15DC 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeDetachProcess + 1D 804F161B 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeDetachProcess + C4 804F16C2 3 Bytes [BD, 55, 80]
.text ntoskrnl.exe!KeDetachProcess + D7 804F16D5 3 Bytes [93, 5F, 80]
.text ntoskrnl.exe!KeDetachProcess + DB 804F16D9 3 Bytes [93, 5F, 80]
.text ntoskrnl.exe!KeDetachProcess + E3 804F16E1 3 Bytes [94, 5F, 80]
.text ...
.text ntoskrnl.exe!RtlRealSuccessor + 37 804F1755 3 Bytes [66, 58, 80]
.text ntoskrnl.exe!RtlRealSuccessor + 3B 804F1759 3 Bytes [66, 58, 80]
.text ntoskrnl.exe!RtlRealSuccessor + 43 804F1761 3 Bytes [60, 58, 80]
.text ntoskrnl.exe!RtlRealSuccessor + 47 804F1765 3 Bytes [61, 58, 80]
.text ntoskrnl.exe!RtlRealSuccessor + 4F 804F176D 3 Bytes [62, 58, 80] {BOUND EBX, [EAX-0x80]}
.text ...
.text ntoskrnl.exe!ExIsResourceAcquiredExclusiveLite + 1F 804F28C8 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExIsResourceAcquiredExclusiveLite + 37 804F28E0 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExIsResourceAcquiredExclusiveLite + 4C 804F28F5 3 Bytes [2A, 4F, 80] {SUB CL, [EDI-0x80]}
.text ntoskrnl.exe!ExIsResourceAcquiredExclusiveLite + 71 804F291A 3 Bytes [B8, 55, 80]
.text ntoskrnl.exe!ExIsResourceAcquiredExclusiveLite + 194 804F2A3D 3 Bytes [0A, 52, 80] {OR DL, [EDX-0x80]}
.text ...
.text ntoskrnl.exe!CcRemapBcb + 29 804F2AE2 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcRemapBcb + 38 804F2AF1 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExAcquireSharedWaitForExclusive + 17 804F2B1A 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExAcquireSharedWaitForExclusive + 43 804F2B46 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExAcquireSharedWaitForExclusive + 5A 804F2B5D 3 Bytes [FF, 5E, 80] {CALL FAR DWORD [ESI-0x80]}
.text ntoskrnl.exe!ExAcquireSharedWaitForExclusive + 5E 804F2B61 3 Bytes [FF, 5E, 80] {CALL FAR DWORD [ESI-0x80]}
.text ntoskrnl.exe!ExAcquireSharedWaitForExclusive + 66 804F2B69 3 Bytes [FF, 5E, 80] {CALL FAR DWORD [ESI-0x80]}
.text ...
.text ntoskrnl.exe!RtlCopyUnicodeString + 68 804F2DF9 3 Bytes [A4, 56, 80]
.text ntoskrnl.exe!RtlCopyUnicodeString + 7C 804F2E0D 3 Bytes JMP EAFE805E
.text ntoskrnl.exe!RtlCopyUnicodeString + 88 804F2E19 3 Bytes JMP EABB805E
.text ntoskrnl.exe!RtlCopyUnicodeString + 94 804F2E25 3 Bytes [EB, 5E, 80]
.text ntoskrnl.exe!RtlCopyUnicodeString + 98 804F2E29 3 Bytes [EB, 5E, 80]
.text ...
.text ntoskrnl.exe!RtlDelete + 71 804F3012 3 Bytes [7B, 56, 80]
.text ntoskrnl.exe!RtlDelete + 92 804F3033 3 Bytes [7B, 56, 80]
.text ntoskrnl.exe!RtlDelete + BD 804F305E 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!RtlDelete + 1C9 804F316A 3 Bytes [7B, 56, 80]
.text ntoskrnl.exe!RtlDelete + 1CF 804F3170 3 Bytes [7B, 56, 80]
.text ...
.text ntoskrnl.exe!RtlSplay + 3C 804F3479 3 Bytes [DA, 5E, 80] {FICOMP DWORD [ESI-0x80]}
.text ntoskrnl.exe!RtlSplay + E3 804F3520 3 Bytes [7B, 56, 80]
.text ntoskrnl.exe!RtlSplay + 104 804F3541 3 Bytes [7B, 56, 80]
.text ntoskrnl.exe!RtlSplay + 116 804F3553 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!RtlSplay + 124 804F3561 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!wcscpy + 9C 804F3765 3 Bytes [33, 61, 80] {XOR ESP, [ECX-0x80]}
.text ntoskrnl.exe!wcscpy + A0 804F3769 3 Bytes [33, 61, 80] {XOR ESP, [ECX-0x80]}
.text ntoskrnl.exe!wcscpy + A8 804F3771 3 Bytes [33, 61, 80] {XOR ESP, [ECX-0x80]}
.text ntoskrnl.exe!wcscpy + AC 804F3775 3 Bytes [33, 61, 80] {XOR ESP, [ECX-0x80]}
.text ntoskrnl.exe!wcscpy + B1 804F377A 3 Bytes [7C, 55, 80]
.text ...
.text ntoskrnl.exe!FsRtlLookupPerStreamContextInternal + 11 804F382D 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlLookupPerStreamContextInternal + 42 804F385E 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlLookupPerStreamContextInternal + 70 804F388C 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlLookupPerStreamContextInternal + B5 804F38D1 3 Bytes [FE, 57, 80]
.text ntoskrnl.exe!FsRtlLookupPerStreamContextInternal + E9 804F3905 3 Bytes [6F, 61, 80]
.text ...
.text ntoskrnl.exe!ExAllocatePoolWithTagPriority + 57 804F3CB5 3 Bytes [34, 60, 80]
.text ntoskrnl.exe!ExAllocatePoolWithTagPriority + 63 804F3CC1 3 Bytes [36, 60, 80]
.text ntoskrnl.exe!ExAllocatePoolWithTagPriority + 67 804F3CC5 3 Bytes [36, 60, 80]
.text ntoskrnl.exe!ExAllocatePoolWithTagPriority + 6F 804F3CCD 3 Bytes [36, 60, 80]
.text ntoskrnl.exe!ExAllocatePoolWithTagPriority + 73 804F3CD1 3 Bytes [36, 60, 80]
.text ...
.text ntoskrnl.exe!KeStackAttachProcess + 2E 804F3FD3 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeUnstackDetachProcess + 20 804F4029 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeUnstackDetachProcess + E4 804F40ED 3 Bytes [D7, 5F, 80]
.text ntoskrnl.exe!KeUnstackDetachProcess + E8 804F40F1 3 Bytes [D7, 5F, 80]
.text ntoskrnl.exe!KeUnstackDetachProcess + F4 804F40FD 3 Bytes [9F, 5F, 80]
.text ntoskrnl.exe!KeUnstackDetachProcess + F8 804F4101 3 Bytes [9F, 5F, 80]
.text ...
.text ntoskrnl.exe!PsGetProcessJob + 1A 804F41ED 3 Bytes [70, 60, 80]
.text ntoskrnl.exe!PsGetProcessJob + 1E 804F41F1 3 Bytes [71, 60, 80]
.text ntoskrnl.exe!PsGetProcessJob + 2A 804F41FD 3 Bytes [83, 61, 80]
.text ntoskrnl.exe!PsGetProcessJob + 2E 804F4201 3 Bytes [84, 61, 80] {TEST [ECX-0x80], AH}
.text ntoskrnl.exe!PsGetProcessJob + 3A 804F420D 3 Bytes [84, 61, 80] {TEST [ECX-0x80], AH}
.text ...
.text ntoskrnl.exe!IoGetRequestorProcess + 24 804F4335 3 Bytes [B0, 5F, 80]
.text ntoskrnl.exe!IoGetRequestorProcess + 28 804F4339 3 Bytes [B0, 5F, 80]
.text ntoskrnl.exe!IoGetRequestorProcess + 30 804F4341 3 Bytes [B1, 5F, 80]
.text ntoskrnl.exe!IoGetRequestorProcess + 34 804F4345 3 Bytes [B1, 5F, 80]
.text ntoskrnl.exe!IoGetRequestorProcess + 3C 804F434D 3 Bytes [2B, 61, 80] {SUB ESP, [ECX-0x80]}
.text ...
.text ntoskrnl.exe!KeSaveFloatingPointState + B 804F4370 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KeSaveFloatingPointState + 20 804F4385 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeSaveFloatingPointState + 9F 804F4404 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KeSaveFloatingPointState + A8 804F440D 3 Bytes [21, 56, 80] {AND [ESI-0x80], EDX}
.text ntoskrnl.exe!KeSaveFloatingPointState + F0 804F4455 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ...
.text ntoskrnl.exe!KeRestoreFloatingPointState + 35 804F44B7 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeRestoreFloatingPointState + 6E 804F44F0 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KeRestoreFloatingPointState + 77 804F44F9 3 Bytes [21, 56, 80] {AND [ESI-0x80], EDX}
.text ntoskrnl.exe!KeRestoreFloatingPointState + F3 804F4575 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KeSetKernelStackSwapEnable + 21 804F45DD 3 Bytes [6E, 61, 80]
.text ntoskrnl.exe!KeSetKernelStackSwapEnable + 25 804F45E1 3 Bytes [6E, 61, 80]
.text ntoskrnl.exe!KeSetKernelStackSwapEnable + 31 804F45ED 3 Bytes [31, 61, 80] {XOR [ECX-0x80], ESP}
.text ntoskrnl.exe!KeSetKernelStackSwapEnable + 35 804F45F1 3 Bytes [31, 61, 80] {XOR [ECX-0x80], ESP}
.text ntoskrnl.exe!KeSetKernelStackSwapEnable + 55 804F4611 3 Bytes [DD, 5E, 80] {FSTP QWORD [ESI-0x80]}
.text ...
.text ntoskrnl.exe!PsChargePoolQuota + 29 804F478D 3 Bytes [DB, 5E, 80] {FISTP DWORD [ESI-0x80]}
.text ntoskrnl.exe!PsChargePoolQuota + 2D 804F4791 3 Bytes [DB, 5E, 80] {FISTP DWORD [ESI-0x80]}
.text ntoskrnl.exe!PsChargePoolQuota + E4 804F4848 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PsChargePoolQuota + 104 804F4868 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PsChargePoolQuota + 121 804F4885 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
.text ...
.text ntoskrnl.exe!CcInitializeCacheMap + 111 804F5231 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcInitializeCacheMap + 140 804F5260 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcInitializeCacheMap + 14C 804F526C 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcInitializeCacheMap + 153 804F5273 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcInitializeCacheMap + 1B0 804F52D0 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!CcSetReadAheadGranularity + 36 804F54B2 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcSetReadAheadGranularity + 94 804F5510 3 Bytes [7B, 56, 80]
.text ntoskrnl.exe!CcSetReadAheadGranularity + A5 804F5521 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcUninitializeCacheMap + 14 804F5564 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcUninitializeCacheMap + D4 804F5624 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcUninitializeCacheMap + DA 804F562A 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcUninitializeCacheMap + E4 804F5634 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcUninitializeCacheMap + EA 804F563A 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ...
.text ntoskrnl.exe!FsRtlFastUnlockAll + 9B 804F576C 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlFastUnlockAll + B6 804F5787 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlFastUnlockAll + 16C 804F583D 3 Bytes [82, 55, 80]
.text ntoskrnl.exe!FsRtlFastUnlockAll + 177 804F5848 3 Bytes [AA, 56, 80]
.text ntoskrnl.exe!FsRtlFastUnlockAll + 18E 804F585F 3 Bytes [82, 55, 80]
.text ...
.text ntoskrnl.exe!RtlLookupElementGenericTableFullAvl + 1AD 804F5D6B 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!RtlLookupElementGenericTableFullAvl + 22A 804F5DE8 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!RtlLookupElementGenericTableFullAvl + 259 804F5E17 3 Bytes [5E, 4F, 80]
.text ntoskrnl.exe!RtlLookupElementGenericTableFullAvl + 26C 804F5E2A 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!RtlLookupElementGenericTableFullAvl + 275 804F5E33 3 Bytes [BA, 55, 80]
.text ...
.text ntoskrnl.exe!RtlAppendUnicodeToString + B4 804F5FAD 3 Bytes [26, 61, 80]
.text ntoskrnl.exe!RtlAppendUnicodeToString + B8 804F5FB1 3 Bytes [26, 61, 80]
.text ntoskrnl.exe!RtlAppendUnicodeToString + C4 804F5FBD 3 Bytes [D7, 5F, 80]
.text ntoskrnl.exe!RtlAppendUnicodeToString + C8 804F5FC1 3 Bytes [D7, 5F, 80]
.text ntoskrnl.exe!RtlAppendUnicodeToString + D0 804F5FC9 3 Bytes [D7, 5F, 80]
.text ...
.text ntoskrnl.exe!PsReturnProcessPagedPoolQuota + D 804F60A6 3 Bytes [97, 56, 80]
.text ntoskrnl.exe!PsReturnProcessPagedPoolQuota + 3E 804F60D7 3 Bytes [97, 56, 80]
.text ntoskrnl.exe!PsReturnProcessPagedPoolQuota + 46 804F60DF 3 Bytes [96, 56, 80]
.text ntoskrnl.exe!PsReturnProcessPagedPoolQuota + 162 804F61FB 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!PsReturnProcessPagedPoolQuota + 1BB 804F6254 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!PsChargeProcessPagedPoolQuota + C 804F6313 3 Bytes [97, 56, 80]
.text ntoskrnl.exe!PsChargeProcessPagedPoolQuota + 9E 804F63A5 3 Bytes [D0, 5F, 80] {RCR BYTE [EDI-0x80], 0x1}
.text ntoskrnl.exe!PsChargeProcessPagedPoolQuota + A2 804F63A9 3 Bytes [D0, 5F, 80] {RCR BYTE [EDI-0x80], 0x1}
.text ntoskrnl.exe!PsChargeProcessPagedPoolQuota + AA 804F63B1 3 Bytes [D0, 5F, 80] {RCR BYTE [EDI-0x80], 0x1}
.text ntoskrnl.exe!PsChargeProcessPagedPoolQuota + AE 804F63B5 3 Bytes [D0, 5F, 80] {RCR BYTE [EDI-0x80], 0x1}
.text ...
.text ntoskrnl.exe!MmProbeAndLockPages + 4 804F6BE3 3 Bytes [6E, 4F, 80]
.text ntoskrnl.exe!MmProbeAndLockPages + D8 804F6CB7 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmProbeAndLockPages + 158 804F6D37 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmProbeAndLockPages + 18D 804F6D6C 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmProbeAndLockPages + 1CA 804F6DA9 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!MmUnlockPages + 47 804F6EDC 3 Bytes [7C, 56, 80]
.text ntoskrnl.exe!MmUnlockPages + 7A 804F6F0F 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmUnlockPages + 97 804F6F2C 3 Bytes [A1, 55, 80]
.text ntoskrnl.exe!MmUnlockPages + CB 804F6F60 3 Bytes [A2, 55, 80]
.text ntoskrnl.exe!MmUnlockPages + D4 804F6F69 3 Bytes [A2, 55, 80]
.text ...
.text ntoskrnl.exe!MmFlushImageSection + 11 804F70FF 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmFlushImageSection + 67 804F7155 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmCanFileBeTruncated + 32 804F71AF 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmCanFileBeTruncated + D8 804F7255 3 Bytes [71, 61, 80]
.text ntoskrnl.exe!MmCanFileBeTruncated + DC 804F7259 3 Bytes [71, 61, 80]
.text ntoskrnl.exe!FsRtlFastCheckLockForRead + 63 804F72D5 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!FsRtlFastCheckLockForRead + 79 804F72EB 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!FsRtlFastCheckLockForRead + 9B 804F730D 3 Bytes [9A, 5F, 80]
.text ntoskrnl.exe!FsRtlFastCheckLockForRead + 9F 804F7311 3 Bytes [9A, 5F, 80]
.text ntoskrnl.exe!FsRtlFastCheckLockForRead + A7 804F7319 3 Bytes [9B, 5F, 80]
.text ...
.text ntoskrnl.exe!CcSetFileSizes + 37 804F75A9 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcSetFileSizes + 62 804F75D4 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcSetFileSizes + 16B 804F76DD 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcSetFileSizes + 1A0 804F7712 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcSetFileSizes + 1A6 804F7718 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ...
.text ntoskrnl.exe!CcGetFlushedValidData + 55 804F78D4 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcGetFlushedValidData + 264 804F7AE3 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcGetFlushedValidData + 294 804F7B13 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcGetFlushedValidData + 2B5 804F7B34 3 Bytes [A4, 56, 80]
.text ntoskrnl.exe!RtlAppendUnicodeStringToString + 103 804F7CAF 3 Bytes [34, 56, 80]
.text ntoskrnl.exe!RtlAppendUnicodeStringToString + 121 804F7CCD 3 Bytes [34, 56, 80]
.text ntoskrnl.exe!RtlAppendUnicodeStringToString + 13C 804F7CE8 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!RtlAppendUnicodeStringToString + 14E 804F7CFA 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!RtlAppendUnicodeStringToString + 19F 804F7D4B 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcPurgeCacheSection + 12 804F7D78 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcPurgeCacheSection + 34 804F7D9A 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcPurgeCacheSection + A1 804F7E07 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcPurgeCacheSection + D7 804F7E3D 3 Bytes [7B, 56, 80]
.text ntoskrnl.exe!FsRtlAddLargeMcbEntry + 4 804F7E97 3 Bytes [7F, 4F, 80]
.text ntoskrnl.exe!FsRtlAddLargeMcbEntry + 26 804F7EB9 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlAddLargeMcbEntry + AE 804F7F41 3 Bytes [7F, 4F, 80]
.text ntoskrnl.exe!FsRtlAddLargeMcbEntry + BE 804F7F51 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlAddLargeMcbEntry + 208 804F809B 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!CcCanIWrite + 3E 804F838C 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcCanIWrite + 68 804F83B6 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcCanIWrite + 6D 804F83BB 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcCanIWrite + 7C 804F83CA 3 Bytes [AB, 55, 80]
.text ntoskrnl.exe!CcCanIWrite + 84 804F83D2 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ...
.text ntoskrnl.exe!CcCopyWrite + 4 804F862C 3 Bytes [87, 4F, 80] {XCHG [EDI-0x80], ECX}
.text ntoskrnl.exe!CcCopyWrite + A8 804F86D0 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcCopyWrite + C3 804F86EB 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcCopyWrite + 10D 804F8735 3 Bytes [D0, 51, 80] {RCL BYTE [ECX-0x80], 0x1}
.text ntoskrnl.exe!CcCopyWrite + 111 804F8739 3 Bytes [D0, 51, 80] {RCL BYTE [ECX-0x80], 0x1}
.text ...
.text ntoskrnl.exe!RtlAreBitsClear + 48 804F8F69 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!RtlAreBitsClear + 4E 804F8F6F 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!RtlAreBitsClear + 75 804F8F96 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!RtlAreBitsClear + 80 804F8FA1 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!FsRtlTruncateLargeMcb + 4 804F8FAF 3 Bytes [90, 4F, 80]
.text ntoskrnl.exe!FsRtlTruncateLargeMcb + 17 804F8FC2 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlTruncateLargeMcb + 66 804F9011 3 Bytes [90, 4F, 80]
.text ntoskrnl.exe!FsRtlTruncateLargeMcb + 6E 804F9019 3 Bytes JMP EADC8051
.text ntoskrnl.exe!FsRtlTruncateLargeMcb + 72 804F901D 3 Bytes JMP 90908051
.text ...
.text ntoskrnl.exe!RtlAreBitsSet + 4E 804F9084 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!RtlAreBitsSet + 54 804F908A 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntry + 4 804F90F2 3 Bytes [91, 4F, 80]
.text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntry + 17 804F9105 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntry + 93 804F9181 3 Bytes [91, 4F, 80]
.text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntry + A3 804F9191 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlNumberOfRunsInLargeMcb + F 804F91B0 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlNumberOfRunsInLargeMcb + 1A 804F91BB 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlNumberOfRunsInLargeMcb + 39 804F91DA 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlNumberOfRunsInLargeMcb + 145 804F92E6 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlNumberOfRunsInLargeMcb + 152 804F92F3 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!MmMapLockedPages + 112 804F98A6 3 Bytes [A2, 55, 80]
.text ntoskrnl.exe!MmMapLockedPages + 135 804F98C9 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmMapLockedPages + 14A 804F98DE 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmMapLockedPages + 19F 804F9933 3 Bytes [A2, 55, 80]
.text ntoskrnl.exe!MmMapLockedPages + 1CE 804F9962 3 Bytes [7C, 56, 80]
.text ntoskrnl.exe!FsRtlUninitializeFileLock + 90 804F9A4B 3 Bytes [79, 56, 80]
.text ntoskrnl.exe!FsRtlUninitializeFileLock + 98 804F9A53 3 Bytes [79, 56, 80]
.text ntoskrnl.exe!FsRtlUninitializeFileLock + B2 804F9A6D 3 Bytes [79, 56, 80]
.text ntoskrnl.exe!FsRtlUninitializeFileLock + B8 804F9A73 3 Bytes [79, 55, 80]
.text ntoskrnl.exe!ExLocalTimeToSystemTime + D 804F9A8D 3 Bytes [A8, 56, 80]
.text ntoskrnl.exe!ExLocalTimeToSystemTime + 16 804F9A96 3 Bytes [A8, 56, 80]
.text ntoskrnl.exe!ExConvertExclusiveToSharedLite + 15 804F9ABF 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExConvertExclusiveToSharedLite + 2F 804F9AD9 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExConvertExclusiveToSharedLite + 43 804F9AED 3 Bytes [FC, 5F, 80]
.text ntoskrnl.exe!ExConvertExclusiveToSharedLite + 47 804F9AF1 3 Bytes [FC, 5F, 80]
.text ntoskrnl.exe!ExConvertExclusiveToSharedLite + 4F 804F9AF9 3 Bytes [FC, 5F, 80]
.text ...
.text ntoskrnl.exe!IoGetRequestorProcessId + 68 804F9BA9 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!IoGetRequestorProcessId + A4 804F9BE5 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!IoGetRequestorProcessId + B7 804F9BF8 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!IoGetRequestorProcessId + 10E 804F9C4F 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!IoGetRequestorProcessId + 11F 804F9C60 3 Bytes [80, 4D, 80]
.text ...
.text ntoskrnl.exe!MmGrowKernelStack + 48 804FA114 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!MmGrowKernelStack + 6F 804FA13B 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmGrowKernelStack + 76 804FA142 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmGrowKernelStack + 7C 804FA148 3 Bytes [A2, 55, 80]
.text ntoskrnl.exe!MmGrowKernelStack + 8D 804FA159 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!RtlImageNtHeader + 20 804FA351 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!RtlImageNtHeader + 54 804FA385 3 Bytes [3A, 60, 80] {CMP AH, [EAX-0x80]}
.text ntoskrnl.exe!RtlImageNtHeader + 58 804FA389 3 Bytes [3A, 60, 80] {CMP AH, [EAX-0x80]}
.text ntoskrnl.exe!RtlImageNtHeader + 5D 804FA38E 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!PsGetProcessSectionBaseAddress + 2D 804FA3DB 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!PsGetProcessSectionBaseAddress + 5C 804FA40A 3 Bytes [7A, 55, 80]
.text ntoskrnl.exe!PsGetProcessSectionBaseAddress + 104 804FA4B2 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!PsGetProcessSectionBaseAddress + 11A 804FA4C8 3 Bytes [31, 56, 80] {XOR [ESI-0x80], EDX}
.text ntoskrnl.exe!PsGetProcessSectionBaseAddress + 13D 804FA4EB 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!KeInitializeMutant + 39 804FA805 3 Bytes [33, 61, 80] {XOR ESP, [ECX-0x80]}
.text ntoskrnl.exe!KeInitializeMutant + 3D 804FA809 3 Bytes [33, 61, 80] {XOR ESP, [ECX-0x80]}
.text ntoskrnl.exe!KeInitializeMutant + 45 804FA811 3 Bytes [33, 61, 80] {XOR ESP, [ECX-0x80]}
.text ntoskrnl.exe!KeInitializeMutant + 49 804FA815 3 Bytes [33, 61, 80] {XOR ESP, [ECX-0x80]}
.text ntoskrnl.exe!KeInitializeMutant + 8E 804FA85A 3 Bytes [80, 4D, 80]
.text ...
.text ntoskrnl.exe!PsGetProcessId + 2F 804FA908 3 Bytes [33, 56, 80] {XOR EDX, [ESI-0x80]}
.text ntoskrnl.exe!PsGetProcessId + 9E 804FA977 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!PsGetProcessId + C2 804FA99B 3 Bytes [7A, 4E, 80]
.text ntoskrnl.exe!MmCreateMdl + 5B 804FAA5B 3 Bytes [AB, 4F, 80]
.text ntoskrnl.exe!MmCreateMdl + 12D 804FAB2D 3 Bytes [A3, 52, 80]
.text ntoskrnl.exe!MmCreateMdl + 131 804FAB31 3 Bytes [A3, 52, 80]
.text ntoskrnl.exe!ZwQueryDebugFilterState + B 804FAB84 3 Bytes [36, 55, 80]
.text ntoskrnl.exe!ZwQueryDebugFilterState + 10 804FAB89 3 Bytes [35, 55, 80]
.text ntoskrnl.exe!ZwQueryDebugFilterState + 19 804FAB92 3 Bytes [35, 55, 80]
.text ntoskrnl.exe!ZwQueryDebugFilterState + 29 804FABA2 3 Bytes [35, 55, 80]
.text ntoskrnl.exe!ZwQueryDebugFilterState + 44 804FABBD 3 Bytes [67, 60, 80]
.text ...
.text ntoskrnl.exe!MmDisableModifiedWriteOfSection + E 804FAC07 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmDisableModifiedWriteOfSection + 30 804FAC29 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmDisableModifiedWriteOfSection + 44 804FAC3D 3 Bytes [5D, 61, 80]
.text ntoskrnl.exe!MmDisableModifiedWriteOfSection + 48 804FAC41 3 Bytes [5D, 61, 80]
.text ntoskrnl.exe!MmDisableModifiedWriteOfSection + 50 804FAC49 3 Bytes [5D, 61, 80]
.text ...
.text ntoskrnl.exe!MmSizeOfMdl + 2B 804FACB4 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmSizeOfMdl + 3C 804FACC5 3 Bytes [23, 61, 80] {AND ESP, [ECX-0x80]}
.text ntoskrnl.exe!MmSizeOfMdl + 40 804FACC9 3 Bytes [23, 61, 80] {AND ESP, [ECX-0x80]}
.text ntoskrnl.exe!MmSizeOfMdl + 4C 804FACD5 3 Bytes [F4, 5E, 80]
.text ntoskrnl.exe!MmSizeOfMdl + 50 804FACD9 3 Bytes [F4, 5E, 80]
.text ...
.text ntoskrnl.exe!IoPageRead + 4C 804FB238 3 Bytes [7C, 56, 80]
.text ntoskrnl.exe!IoPageRead + 52 804FB23E 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!IoPageRead + 6B 804FB257 3 Bytes [7C, 56, 80]
.text ntoskrnl.exe!IoPageRead + 93 804FB27F 3 Bytes [7C, 56, 80]
.text ntoskrnl.exe!IoPageRead + 99 804FB285 3 Bytes [7C, 56, 80]
.text ...
.text ntoskrnl.exe!FsRtlInitializeLargeMcb + 4 804FBC5E 3 Bytes CALL 68D00C1F
.text ntoskrnl.exe!FsRtlInitializeLargeMcb + 1E 804FBC78 3 Bytes [AC, 55, 80]
.text ntoskrnl.exe!FsRtlInitializeLargeMcb + 67 804FBCC1 3 Bytes [AD, 55, 80]
.text ntoskrnl.exe!FsRtlInitializeLargeMcb + 97 804FBCF1 3 Bytes JMP 90908051
.text ntoskrnl.exe!FsRtlInsertPerStreamContext + 19 804FBD25 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlInsertPerStreamContext + 34 804FBD40 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlInsertPerStreamContext + 55 804FBD61 3 Bytes [F1, 5D, 80]
.text ntoskrnl.exe!FsRtlInsertPerStreamContext + A5 804FBDB1 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlInsertPerStreamContext + 1D4 804FBEE0 3 Bytes [80, 4D, 80]
.text ...
.text ntoskrnl.exe!FsRtlUninitializeOplock + 4 804FC225 3 Bytes [C2, 4F, 80] {RET 0x804f}
.text ntoskrnl.exe!FsRtlUninitializeOplock + 30 804FC251 3 Bytes [F9, 51, 80]
.text ntoskrnl.exe!FsRtlUninitializeLargeMcb + 12 804FC2DB 3 Bytes [AC, 55, 80]
.text ntoskrnl.exe!FsRtlUninitializeLargeMcb + 36 804FC2FF 3 Bytes [AD, 55, 80]
.text ntoskrnl.exe!IoBuildAsynchronousFsdRequest + 4 804FC560 3 Bytes [C5, 4F, 80] {LDS ECX, DWORD [EDI-0x80]}
.text ntoskrnl.exe!IoBuildAsynchronousFsdRequest + 1D 804FC579 3 Bytes [B7, 55, 80]
.text ntoskrnl.exe!IoBuildAsynchronousFsdRequest + 69 804FC5C5 3 Bytes [06, 52, 80]
.text ntoskrnl.exe!IoBuildAsynchronousFsdRequest + 6D 804FC5C9 3 Bytes [07, 52, 80]
.text ntoskrnl.exe!IoBuildAsynchronousFsdRequest + CC 804FC628 3 Bytes [78, 55, 80]
.text ...
.text ntoskrnl.exe!wcsncpy + 178 804FC7CB 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!wcsncpy + 1E0 804FC833 3 Bytes [C7, 4F, 80]
.text ntoskrnl.exe!wcsncpy + 1EB 804FC83E 3 Bytes [C7, 4F, 80]
.text ntoskrnl.exe!wcsncpy + 202 804FC855 3 Bytes [CE, 4F, 80]
.text ntoskrnl.exe!swprintf + 18E 804FCB9F 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!swprintf + 202 804FCC13 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!swprintf + 249 804FCC5A 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!swprintf + 2E2 804FCCF3 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!swprintf + 308 804FCD19 3 Bytes [A3, 55, 80]
.text ...
.text ntoskrnl.exe!mbtowc + A5 804FD014 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!mbtowc + 1C5 804FD134 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!mbtowc + 1D2 804FD141 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!mbtowc + 1D7 804FD146 3 Bytes [9C, 55, 80]
.text ntoskrnl.exe!mbtowc + 1E3 804FD152 3 Bytes [34, 56, 80]
.text ...
.text ntoskrnl.exe!RtlUnwind + D 804FD24E 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!RtlUnwind + 17B 804FD3BC 3 Bytes [07, 56, 80]
.text ntoskrnl.exe!RtlUnwind + 199 804FD3DA 3 Bytes [07, 56, 80]
.text ntoskrnl.exe!FsRtlRemoveLargeMcbEntry + 4 804FD54C 3 Bytes [D5, 4F, 80]
.text ntoskrnl.exe!FsRtlRemoveLargeMcbEntry + 17 804FD55F 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlRemoveLargeMcbEntry + 49 804FD591 3 Bytes [D5, 4F, 80]
.text ntoskrnl.exe!FsRtlRemoveLargeMcbEntry + 59 804FD5A1 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlRemoveLargeMcbEntry + 76 804FD5BE 3 Bytes [A9, 4E, 80]
.text ...
.text ntoskrnl.exe!PsGetProcessSessionId + 1B 804FE239 3 Bytes [98, 56, 80]
.text ntoskrnl.exe!PsGetProcessSessionId + 2A 804FE248 3 Bytes [AE, 69, 80]
.text ntoskrnl.exe!RtlImageDirectoryEntryToData + 6E 804FE2C1 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!RtlImageDirectoryEntryToData + AA 804FE2FD 3 Bytes [10, 60, 80] {ADC [EAX-0x80], AH}
.text ntoskrnl.exe!RtlImageDirectoryEntryToData + AE 804FE301 3 Bytes [10, 60, 80] {ADC [EAX-0x80], AH}
.text ntoskrnl.exe!RtlImageDirectoryEntryToData + B6 804FE309 3 Bytes [10, 60, 80] {ADC [EAX-0x80], AH}
.text ntoskrnl.exe!RtlImageDirectoryEntryToData + BA 804FE30D 3 Bytes [10, 60, 80] {ADC [EAX-0x80], AH}
.text ...
.text ntoskrnl.exe!KeInitializeQueue + 41 804FE891 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KeInitializeQueue + 4D 804FE89D 3 Bytes [D6, 60, 80]
.text ntoskrnl.exe!KeInitializeQueue + 51 804FE8A1 3 Bytes [D6, 60, 80]
.text ntoskrnl.exe!KeInitializeQueue + 59 804FE8A9 3 Bytes [D7, 60, 80]
.text ntoskrnl.exe!KeInitializeQueue + 5D 804FE8AD 3 Bytes [D7, 60, 80]
.text ...
.text ntoskrnl.exe!FsRtlFreeFileLock + 12 804FE95B 3 Bytes [AE, 55, 80]
.text ntoskrnl.exe!KeRundownQueue + D 804FE979 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeRundownQueue + D7 804FEA43 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeRundownQueue + 14D 804FEAB9 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!KeRundownQueue + 196 804FEB02 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeRundownQueue + 1AF 804FEB1B 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoQueueThreadIrp + C 804FEB34 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!IoQueueThreadIrp + 2F 804FEB57 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!IoAllocateWorkItem + 24 804FEBA1 3 Bytes [DF, 56, 80] {FIST WORD [ESI-0x80]}
.text ntoskrnl.exe!IoAllocateWorkItem + 4E 804FEBCB 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoAllocateWorkItem + 55 804FEBD2 3 Bytes [79, 56, 80]
.text ntoskrnl.exe!IoAllocateWorkItem + 5C 804FEBD9 3 Bytes [34, 56, 80]
.text ntoskrnl.exe!IoAllocateWorkItem + 61 804FEBDE 3 Bytes [BC, 55, 80]
.text ...
.text ntoskrnl.exe!RtlInitializeGenericTableAvl + 4F 804FF7B4 3 Bytes [79, 56, 80]
.text ntoskrnl.exe!RtlInitializeGenericTableAvl + 71 804FF7D6 3 Bytes [79, 56, 80]
.text ntoskrnl.exe!RtlInitializeGenericTableAvl + 7F 804FF7E4 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!RtlInitializeGenericTableAvl + 9F 804FF804 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!RtlInitializeGenericTableAvl + E4 804FF849 3 Bytes [78, 55, 80]
.text ...
.text ntoskrnl.exe!FsRtlProcessFileLock + C7 80500B4C 3 Bytes [7C, 56, 80]
.text ntoskrnl.exe!FsRtlProcessFileLock + 10C 80500B91 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlProcessFileLock + 13D 80500BC2 3 Bytes [79, 55, 80]
.text ntoskrnl.exe!FsRtlProcessFileLock + 19E 80500C23 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlProcessFileLock + 219 80500C9E 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!RtlSecondsSince1970ToTime + 8 80500E94 3 Bytes [0E, 50, 80]
.text ntoskrnl.exe!RtlSecondsSince1970ToTime + 15 80500EA1 3 Bytes [0E, 50, 80]
.text ntoskrnl.exe!RtlSecondsSince1970ToTime + 55 80500EE1 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmForceSectionClosed + 94 80500F9C 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!MmForceSectionClosed + BA 80500FC2 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmForceSectionClosed + 106 8050100E 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlGetNextFileLock + 2F 8050104A 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlGetNextFileLock + BE 805010D9 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!wcsncmp + 12C 805013D8 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!wcsncmp + 161 8050140D 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!wcsncmp + 1D3 8050147F 3 Bytes [F2, 55, 80]
.text ntoskrnl.exe!wcsncmp + 1DB 80501487 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!wcsncmp + 1E1 8050148D 3 Bytes [F2, 55, 80]
.text ...
.text ntoskrnl.exe!_vsnprintf + 5A 80501AD2 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!_vsnprintf + 6E 80501AE6 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!_vsnprintf + 146 80501BBE 3 Bytes [1C, 50, 80]
.text ntoskrnl.exe!_vsnprintf + 150 80501BC8 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!_vsnprintf + 26D 80501CE5 3 Bytes [8C, 52, 80] {MOV WORD [EDX-0x80], SS}
.text ...
.text ntoskrnl.exe!vDbgPrintExWithPrefix + 7 80501DD7 3 Bytes [1E, 50, 80]
.text ntoskrnl.exe!vDbgPrintExWithPrefix + 11 80501DE1 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!vDbgPrintExWithPrefix + ED 80501EBD 3 Bytes [B7, 52, 80]
.text ntoskrnl.exe!vDbgPrintExWithPrefix + F1 80501EC1 3 Bytes [B7, 52, 80]
.text ntoskrnl.exe!DbgPrint + 12 80501EDB 3 Bytes [1E, 50, 80]
.text ntoskrnl.exe!DbgPrint + 124 80501FED 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!DbgPrint + 1B8 80502081 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!DbgPrint + 250 80502119 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!DbgPrint + 276 8050213F 3 Bytes [A3, 55, 80]
.text ...
.text ntoskrnl.exe!CcScheduleReadAhead + 82 80502311 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcScheduleReadAhead + 102 80502391 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcScheduleReadAhead + 14F 805023DE 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcSetAdditionalCacheAttributes + 15 8050241F 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcSetAdditionalCacheAttributes + 3A 80502444 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcSetAdditionalCacheAttributes + E9 805024F3 3 Bytes [32, 56, 80] {XOR DL, [ESI-0x80]}
.text ntoskrnl.exe!CcSetAdditionalCacheAttributes + F0 805024FA 3 Bytes [7C, 56, 80]
.text ntoskrnl.exe!CcSetAdditionalCacheAttributes + 107 80502511 3 Bytes [31, 56, 80] {XOR [ESI-0x80], EDX}
.text ...
.text ntoskrnl.exe!RtlFindLastBackwardRunClear + 2A 8050359B 3 Bytes [34, 50, 80]
.text ntoskrnl.exe!RtlFindLastBackwardRunClear + 61 805035D2 3 Bytes CALL 05D0860B
.text ntoskrnl.exe!RtlNumberOfClearBits + 2F 80503653 3 Bytes [3C, 51, 80]
.text ntoskrnl.exe!RtlEqualString + 87 80503771 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!RtlEqualString + 8D 80503777 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!RtlEqualString + 93 8050377D 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!RtlEqualString + 187 80503871 3 Bytes [A2, 55, 80]
.text ntoskrnl.exe!RtlEqualString + 1AE 80503898 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PsGetProcessDebugPort + 83 80503983 3 Bytes [B7, 55, 80]
.text ntoskrnl.exe!PsGetProcessDebugPort + B2 805039B2 3 Bytes [AD, 55, 80]
.text ntoskrnl.exe!RtlFindClearRuns + 6B 80503A6D 3 Bytes [01, 4F, 80] {ADD [EDI-0x80], ECX}
.text ntoskrnl.exe!RtlFindClearRuns + 7A 80503A7C 3 Bytes [02, 4F, 80] {ADD CL, [EDI-0x80]}
.text ntoskrnl.exe!RtlFindClearRuns + 8C 80503A8E 3 Bytes [01, 4F, 80] {ADD [EDI-0x80], ECX}
.text ntoskrnl.exe!RtlFindClearRuns + 92 80503A94 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!RtlFindClearRuns + 97 80503A99 3 Bytes [A9, 4E, 80]
.text ...
.text ntoskrnl.exe!MmAllocateContiguousMemorySpecifyCache + 5B 80504DED 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmAllocateContiguousMemorySpecifyCache + 98 80504E2A 3 Bytes [7B, 55, 80]
.text ntoskrnl.exe!MmFreeContiguousMemory + 7 80504EE0 3 Bytes [31, 56, 80] {XOR [ESI-0x80], EDX}
.text ntoskrnl.exe!MmFreeContiguousMemory + 15 80504EEE 3 Bytes CALL 83D0A56F
.text ntoskrnl.exe!MmFreeContiguousMemory + 21 80504EFA 3 Bytes [32, 56, 80] {XOR DL, [ESI-0x80]}
.text ntoskrnl.exe!MmFreeContiguousMemory + 2D 80504F06 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!MmGetPhysicalAddress + A7 805050ED 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmGetPhysicalAddress + ED 80505133 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmGetPhysicalAddress + 1A3 805051E9 3 Bytes [34, 56, 80]
.text ntoskrnl.exe!MmGetPhysicalAddress + 1B6 805051FC 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!MmGetPhysicalAddress + 2D9 8050531F 3 Bytes [7C, 56, 80]
.text ...
.text ntoskrnl.exe!MmCommitSessionMappedView + B 805053B3 3 Bytes [78, 56, 80]
.text ntoskrnl.exe!MmCommitSessionMappedView + 1A 805053C2 3 Bytes [78, 56, 80]
.text ntoskrnl.exe!MmCommitSessionMappedView + 5A 80505402 3 Bytes [79, 56, 80]
.text ntoskrnl.exe!MmCommitSessionMappedView + 91 80505439 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoReportTargetDeviceChangeAsynchronous + 2D 805054C6 3 Bytes [55, 50, 80]
.text ntoskrnl.exe!IoReportTargetDeviceChangeAsynchronous + 56 805054EF 3 Bytes [55, 50, 80]
.text ntoskrnl.exe!IoReportTargetDeviceChangeAsynchronous + 7B 80505514 3 Bytes CALL BBD0A56E
.text ntoskrnl.exe!IoReportTargetDeviceChangeAsynchronous + 108 805055A1 3 Bytes [58, 5A, 80]
.text ntoskrnl.exe!PoRegisterDeviceForIdleDetection + 1F 8050563C 3 Bytes [91, 56, 80]
.text ntoskrnl.exe!PoRegisterDeviceForIdleDetection + 27 80505644 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PoRegisterDeviceForIdleDetection + 49 80505666 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PoRegisterDeviceForIdleDetection + C5 805056E2 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoDeleteDevice + 8 80505728 3 Bytes [B8, 55, 80]
.text ntoskrnl.exe!IoDeleteDevice + 45 80505765 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoDeleteDevice + 8E 805057AE 3 Bytes CALL 0BD0AE43
.text ntoskrnl.exe!IoDeleteDevice + 99 805057B9 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoDeleteDevice + B3 805057D3 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoGetDriverObjectExtension + C 805057F6 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoGetDriverObjectExtension + 30 8050581A 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoGetDriverObjectExtension + 4B 80505835 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoAcquireVpbSpinLock + B 8050589B 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoReleaseVpbSpinLock + E 805058BA 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoReleaseVpbSpinLock + 99 80505945 3 Bytes [68, 60, 80]
.text ntoskrnl.exe!IoReleaseVpbSpinLock + 9D 80505949 3 Bytes [68, 60, 80]
.text ntoskrnl.exe!IoReleaseVpbSpinLock + A6 80505952 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoReleaseVpbSpinLock + 191 80505A3D 3 Bytes [15, 56, 80]
.text ...

.text ntoskrnl.exe!IoInvalidateDeviceRelations + 62 80505DFF 3 Bytes [34, 56, 80]
.text ntoskrnl.exe!IoInvalidateDeviceRelations + 6D 80505E0A 3 Bytes [9C, 55, 80]
.text ntoskrnl.exe!IoInvalidateDeviceRelations + 75 80505E12 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoInvalidateDeviceRelations + 85 80505E22 3 Bytes [34, 56, 80]
.text ntoskrnl.exe!IoInvalidateDeviceRelations + 8E 80505E2B 3 Bytes [34, 56, 80]
.text ...
.text ntoskrnl.exe!wctomb + 1C 8050624E 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!wctomb + 40 80506272 3 Bytes [F0, 55, 80]
.text ntoskrnl.exe!wcsrchr + 43 805062C9 3 Bytes [DC, 59, 80] {FCOMP QWORD [ECX-0x80]}
.text ntoskrnl.exe!DbgLoadImageSymbols + 124 805063F5 3 Bytes [79, 56, 80]
.text ntoskrnl.exe!DbgLoadImageSymbols + 12C 805063FD 3 Bytes [78, 56, 80]
.text ntoskrnl.exe!DbgLoadImageSymbols + 13E 8050640F 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!DbgLoadImageSymbols + 161 80506432 3 Bytes [BC, 55, 80]
.text ntoskrnl.exe!DbgLoadImageSymbols + 177 80506448 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!KeInitializeDeviceQueue + 114 80506745 3 Bytes [C9, 5F, 80]
.text ntoskrnl.exe!KeInitializeDeviceQueue + 118 80506749 3 Bytes [C9, 5F, 80]
.text ntoskrnl.exe!KeInitializeDeviceQueue + 124 80506755 3 Bytes [BD, 5F, 80]
.text ntoskrnl.exe!KeInitializeDeviceQueue + 128 80506759 3 Bytes [BD, 5F, 80]
.text ntoskrnl.exe!KeInitializeDeviceQueue + 134 80506765 3 Bytes [36, 61, 80]
.text ...
.text ntoskrnl.exe!IoAttachDeviceToDeviceStack + 9A 80506C50 3 Bytes [F5, 55, 80]
.text ntoskrnl.exe!IoAttachDeviceToDeviceStack + C5 80506C7B 3 Bytes [15, 56, 80]
.text ntoskrnl.exe!IoAttachDeviceToDeviceStack + CD 80506C83 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoAttachDeviceToDeviceStack + E2 80506C98 3 Bytes [14, 56, 80]
.text ntoskrnl.exe!IoAttachDeviceToDeviceStack + 106 80506CBC 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!KeSetSystemAffinityThread + 15 80506D2D 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeRevertToUserAffinityThread + 12 80506D91 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeRevertToUserAffinityThread + 4D 80506DCC 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeRevertToUserAffinityThread + A8 80506E27 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeRevertToUserAffinityThread + F6 80506E75 3 Bytes [D1, 60, 80] {SHL DWORD [EAX-0x80], 0x1}
.text ntoskrnl.exe!KeRevertToUserAffinityThread + FA 80506E79 3 Bytes [D1, 60, 80] {SHL DWORD [EAX-0x80], 0x1}
.text ...
.text ntoskrnl.exe!RtlTimeFieldsToTime + A8 80506FE1 3 Bytes [70, 50, 80]
.text ntoskrnl.exe!RtlTimeFieldsToTime + AF 80506FE8 3 Bytes [70, 50, 80]
.text ntoskrnl.exe!RtlTimeFieldsToTime + 15B 80507094 3 Bytes [70, 50, 80]
.text ntoskrnl.exe!PoStartNextPowerIrp + 1F 80507148 3 Bytes CALL 09D0C7DD
.text ntoskrnl.exe!PoStartNextPowerIrp + 2C 80507155 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PoStartNextPowerIrp + 34 8050715D 3 Bytes [90, 56, 80]
.text ntoskrnl.exe!PoStartNextPowerIrp + 5F 80507188 3 Bytes [8E, 56, 80] {MOV SS, [ESI-0x80]}
.text ntoskrnl.exe!PoStartNextPowerIrp + 94 805071BD 3 Bytes CALL 7FD0C852
.text ...
.text ntoskrnl.exe!PoCallDriver + B 8050726E 3 Bytes CALL 0BD0C903
.text ntoskrnl.exe!PoCallDriver + 13 80507276 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PoCallDriver + 9C 805072FF 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PoRequestPowerIrp + 3D 80507352 3 Bytes CALL 0DD0C9E7
.text ntoskrnl.exe!PoRequestPowerIrp + 45 8050735A 3 Bytes [90, 56, 80]
.text ntoskrnl.exe!PoRequestPowerIrp + BF 805073D4 3 Bytes [C4, 55, 80] {LES EDX, DWORD [EBP-0x80]}
.text ntoskrnl.exe!PoRequestPowerIrp + C5 805073DA 3 Bytes [C4, 55, 80] {LES EDX, DWORD [EBP-0x80]}
.text ntoskrnl.exe!PoRequestPowerIrp + D2 805073E7 3 Bytes [A4, 56, 80]
.text ...
.text ntoskrnl.exe!IoStopTimer + F 80507CA0 3 Bytes [96, 55, 80]
.text ntoskrnl.exe!IoStopTimer + 17 80507CA8 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoStopTimer + 29 80507CBA 3 Bytes [0D, 56, 80]
.text ntoskrnl.exe!IoStopTimer + 33 80507CC4 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoStopTimer + 4B 80507CDC 3 Bytes [97, 56, 80]
.text ...
.text ntoskrnl.exe!PoSetPowerState + 18 80507DFD 3 Bytes CALL D7D0D492
.text ntoskrnl.exe!PoSetPowerState + 24 80507E09 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PoSetPowerState + 90 80507E75 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PoSetPowerState + 114 80507EF9 3 Bytes [96, 55, 80]
.text ntoskrnl.exe!PoSetPowerState + 11D 80507F02 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!IoDetachDevice + E 80507F92 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoDetachDevice + 19 80507F9D 3 Bytes [B8, 55, 80]
.text ntoskrnl.exe!IoDetachDevice + 70 80507FF4 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoDetachDevice + F7 8050807B 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoDetachDevice + 108 8050808C 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!MmProbeAndLockSelectedPages + 89 80508687 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmProbeAndLockSelectedPages + BC 805086BA 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmProbeAndLockSelectedPages + 185 80508783 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmProbeAndLockSelectedPages + 191 8050878F 3 Bytes [34, 56, 80]
.text ntoskrnl.exe!MmProbeAndLockSelectedPages + 1B2 805087B0 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!KeGetRecommendedSharedDataAlignment + 2 805088F3 3 Bytes [78, 55, 80]
.text ntoskrnl.exe!MmQuerySystemSize + 2 8050892C 3 Bytes [33, 56, 80] {XOR EDX, [ESI-0x80]}
.text ntoskrnl.exe!MmQuerySystemSize + 10 8050893A 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmQuerySystemSize + A5 805089CF 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExInitializeNPagedLookasideList + 44 80508A24 3 Bytes [10, 55, 80] {ADC [EBP-0x80], DL}
.text ntoskrnl.exe!ExInitializeNPagedLookasideList + 52 80508A32 3 Bytes [13, 55, 80] {ADC EDX, [EBP-0x80]}
.text ntoskrnl.exe!ExInitializeNPagedLookasideList + 5D 80508A3D 3 Bytes CALL 0DD0E0EB
.text ntoskrnl.exe!ExInitializeNPagedLookasideList + 65 80508A45 3 Bytes [A9, 56, 80]
.text ntoskrnl.exe!IoStartTimer + 1B 80508A7B 3 Bytes [96, 55, 80]
.text ntoskrnl.exe!IoStartTimer + 23 80508A83 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoStartTimer + 36 80508A96 3 Bytes [0D, 56, 80]
.text ntoskrnl.exe!IoStartTimer + 40 80508AA0 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoStartTimer + 75 80508AD5 3 Bytes [31, 61, 80] {XOR [ECX-0x80], ESP}
.text ...
.text ntoskrnl.exe!PsSetThreadHardErrorsAreDisabled + 39 80508BF1 3 Bytes [79, 56, 80]
.text ntoskrnl.exe!PsSetThreadHardErrorsAreDisabled + 41 80508BF9 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PsSetThreadHardErrorsAreDisabled + 49 80508C01 3 Bytes [78, 56, 80]
.text ntoskrnl.exe!PsSetThreadHardErrorsAreDisabled + 4E 80508C06 3 Bytes [78, 56, 80]
.text ntoskrnl.exe!PsSetThreadHardErrorsAreDisabled + 98 80508C50 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!IoGetLowerDeviceObject + D 80508D93 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoGetLowerDeviceObject + 36 80508DBC 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoGetLowerDeviceObject + 7D 80508E03 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoGetDeviceAttachmentBaseRef + D 80508E27 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoGetDeviceAttachmentBaseRef + 2B 80508E45 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoAttachDeviceToDeviceStackSafe + 38 80508E9B 3 Bytes [79, 56, 80]
.text ntoskrnl.exe!IoAttachDeviceToDeviceStackSafe + 44 80508EA7 3 Bytes [79, 56, 80]
.text ntoskrnl.exe!IoAttachDeviceToDeviceStackSafe + 50 80508EB3 3 Bytes [38, 50, 80] {CMP [EAX-0x80], DL}
.text ntoskrnl.exe!IoAttachDeviceToDeviceStackSafe + 62 80508EC5 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoAttachDeviceToDeviceStackSafe + 68 80508ECB 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!wcsncat + 44 80509165 3 Bytes [AC, 60, 80]
.text ntoskrnl.exe!wcsncat + 48 80509169 3 Bytes [AC, 60, 80]
.text ntoskrnl.exe!wcsncat + 50 80509171 3 Bytes [AD, 60, 80]
.text ntoskrnl.exe!wcsncat + 54 80509175 3 Bytes [AD, 60, 80]
.text ntoskrnl.exe!wcsncat + 5C 8050917D 3 Bytes [2C, 61, 80]
.text ...
.text ntoskrnl.exe!IoAllocateController + E0 805092D0 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoAllocateController + 125 80509315 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoAllocateController + 1C5 805093B5 3 Bytes [A9, 61, 80]
.text ntoskrnl.exe!IoAllocateController + 1C9 805093B9 3 Bytes [A9, 61, 80]
.text ntoskrnl.exe!IoAllocateController + 1D5 805093C5 3 Bytes [53, 61, 80]
.text ...
.text ntoskrnl.exe!IoWMIWriteEvent + 9 80509493 3 Bytes [9F, 56, 80]
.text ntoskrnl.exe!IoWMIWriteEvent + 50 805094DA 3 Bytes [81, 55, 80]
.text ntoskrnl.exe!IoWMIWriteEvent + 73 805094FD 3 Bytes [9E, 56, 80]
.text ntoskrnl.exe!IoWMIWriteEvent + 7B 80509505 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoWMIWriteEvent + A7 80509531 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!PsGetJobUIRestrictionsClass + 1E 80509605 3 Bytes [DD, 5F, 80] {FSTP QWORD [EDI-0x80]}
.text ntoskrnl.exe!PsGetJobUIRestrictionsClass + 22 80509609 3 Bytes [DE, 5F, 80] {FICOMP WORD [EDI-0x80]}
.text ntoskrnl.exe!PsGetJobUIRestrictionsClass + 2A 80509611 3 Bytes [DD, 5F, 80] {FSTP QWORD [EDI-0x80]}
.text ntoskrnl.exe!PsGetJobUIRestrictionsClass + 2E 80509615 3 Bytes [DD, 5F, 80] {FSTP QWORD [EDI-0x80]}
.text ntoskrnl.exe!PsGetJobUIRestrictionsClass + 36 8050961D 3 Bytes [DD, 5F, 80] {FSTP QWORD [EDI-0x80]}
.text ...
.text ntoskrnl.exe!MmIsThisAnNtAsSystem + 2 80509637 3 Bytes [33, 56, 80] {XOR EDX, [ESI-0x80]}
.text ntoskrnl.exe!KeSetTargetProcessorDpc + 1A 8050966D 3 Bytes [83, 5F, 80]
.text ntoskrnl.exe!KeSetTargetProcessorDpc + 1E 80509671 3 Bytes [83, 5F, 80]
.text ntoskrnl.exe!KeSetTargetProcessorDpc + 49 8050969C 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeSetTargetProcessorDpc + 73 805096C6 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!RtlInitializeGenericTable + A9 8050977F 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!RtlInitializeGenericTable + CA 805097A0 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!RtlInitializeGenericTable + ED 805097C3 3 Bytes [42, 5D, 80]
.text ntoskrnl.exe!RtlInitializeGenericTable + F2 805097C8 3 Bytes [C3, 55, 80]
.text ntoskrnl.exe!RtlInitializeGenericTable + 14B 80509821 3 Bytes [43, 5D, 80]
.text ...
.text ntoskrnl.exe!IoAllocateDriverObjectExtension + 50 805099AB 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoAllocateDriverObjectExtension + 7E 805099D9 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!RtlVerifyVersionInfo + 11 80509ABD 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!ExInitializeZone + 71 80509C91 3 Bytes [D5, 5E, 80]
.text ntoskrnl.exe!KeIsAttachedProcess + 31 80509CCA 3 Bytes [8E, 56, 80] {MOV SS, [ESI-0x80]}
.text ntoskrnl.exe!KeIsAttachedProcess + 47 80509CE0 3 Bytes [B9, 55, 80]
.text ntoskrnl.exe!KeIsAttachedProcess + 4F 80509CE8 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeIsAttachedProcess + 55 80509CEE 3 Bytes [B9, 55, 80]
.text ntoskrnl.exe!KeIsAttachedProcess + 6B 80509D04 3 Bytes [B9, 55, 80]
.text ...
.text ntoskrnl.exe!KeDisconnectInterrupt + 20 80509FD8 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeDisconnectInterrupt + 52 8050A00A 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeInitializeInterrupt + 64 8050A0A6 3 Bytes [B9, 4D, 80]
.text ntoskrnl.exe!KeInitializeInterrupt + 7B 8050A0BD 3 Bytes [BB, 4D, 80]
.text ntoskrnl.exe!KeInitializeInterrupt + 85 8050A0C7 3 Bytes [BA, 4D, 80]
.text ntoskrnl.exe!KeConnectInterrupt + 2A 8050A104 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KeConnectInterrupt + 49 8050A123 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeConnectInterrupt + 88 8050A162 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeConnectInterrupt + CD 8050A1A7 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeConnectInterrupt + E6 8050A1C0 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!IoEnumerateDeviceObjectList + 14 8050A272 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoEnumerateDeviceObjectList + 64 8050A2C2 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoGetDiskDeviceObject + 49 8050A325 3 Bytes [2A, 61, 80] {SUB AH, [ECX-0x80]}
.text ntoskrnl.exe!IoGetDiskDeviceObject + 4D 8050A329 3 Bytes [2A, 61, 80] {SUB AH, [ECX-0x80]}
.text ntoskrnl.exe!FsRtlNormalizeNtstatus + 25 8050A3BA 3 Bytes [A4, 50, 80]
.text ntoskrnl.exe!FsRtlNormalizeNtstatus + 80 8050A415 3 Bytes [04, 52, 80]
.text ntoskrnl.exe!FsRtlNormalizeNtstatus + 84 8050A419 3 Bytes [04, 52, 80]
.text ntoskrnl.exe!IoRaiseHardError + 80 8050A4A1 3 Bytes [C6, 5A, 80]
.text ntoskrnl.exe!IoCreateStreamFileObjectEx + 38 8050A4F5 3 Bytes [0D, 56, 80]
.text ntoskrnl.exe!IoCreateStreamFileObjectEx + 14F 8050A60C 3 Bytes [A2, 55, 80]
.text ntoskrnl.exe!IoCreateStreamFileObjectEx + 174 8050A631 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!IoCreateStreamFileObjectEx + 1C5 8050A682 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoCreateStreamFileObjectEx + 209 8050A6C6 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!RtlTimeToTimeFields + 8E 8050A981 3 Bytes CALL 09D0FA2F
.text ntoskrnl.exe!RtlTimeToTimeFields + 99 8050A98C 3 Bytes [70, 50, 80]
.text ntoskrnl.exe!RtlTimeToTimeFields + 277 8050AB6A 3 Bytes [AB, 50, 80]
.text ntoskrnl.exe!RtlTimeToTimeFields + 27D 8050AB70 3 Bytes [AB, 50, 80]
.text ntoskrnl.exe!RtlTimeToTimeFields + 28F 8050AB82 3 Bytes [AB, 50, 80]
.text ...
.text ntoskrnl.exe!IoWMIHandleToInstanceName + 38 8050B47C 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoWMIHandleToInstanceName + 42 8050B486 3 Bytes [08, 56, 80] {OR [ESI-0x80], DL}
.text ntoskrnl.exe!IoWMIHandleToInstanceName + 57 8050B49B 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!IoWMIHandleToInstanceName + 67 8050B4AB 3 Bytes [08, 56, 80] {OR [ESI-0x80], DL}
.text ntoskrnl.exe!IoWMIHandleToInstanceName + 73 8050B4B7 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvCheckDisplayOwnership + 5 8050B4C5 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvCheckDisplayOwnership + 41 8050B501 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvCheckDisplayOwnership + 70 8050B530 3 Bytes [08, 56, 80] {OR [ESI-0x80], DL}
.text ntoskrnl.exe!InbvCheckDisplayOwnership + 75 8050B535 3 Bytes [08, 56, 80] {OR [ESI-0x80], DL}
.text ntoskrnl.exe!InbvCheckDisplayOwnership + 8C 8050B54C 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!MmMapIoSpace + 5D 8050B5DF 3 Bytes [7B, 55, 80]
.text ntoskrnl.exe!MmMapIoSpace + A4 8050B626 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!MmMapIoSpace + AA 8050B62C 3 Bytes [BC, 55, 80]
.text ntoskrnl.exe!MmMapIoSpace + 11C 8050B69E 3 Bytes [BC, 55, 80]
.text ntoskrnl.exe!MmMapIoSpace + 13F 8050B6C1 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!MmUnmapIoSpace + 3A 8050B713 3 Bytes [BC, 55, 80]
.text ntoskrnl.exe!MmUnmapIoSpace + 9C 8050B775 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmUnmapIoSpace + 113 8050B7EC 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmUnmapIoSpace + 12C 8050B805 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!MmUnmapIoSpace + 15D 8050B836 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!vsprintf + 88 8050B90A 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!vsprintf + A6 8050B928 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!vsprintf + E8 8050B96A 3 Bytes [07, 56, 80]
.text ntoskrnl.exe!vsprintf + F2 8050B974 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!vsprintf + 106 8050B988 3 Bytes [07, 56, 80]
.text ...
.text ntoskrnl.exe!RtlSetAllBits + 27 8050BA5C 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoInvalidateDeviceState + 54 8050BAEB 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoInvalidateDeviceState + 75 8050BB0C 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoAllocateErrorLogEntry + 59 8050BB7E 3 Bytes [0E, 56, 80]
.text ntoskrnl.exe!IoWriteErrorLogEntry + 12 8050BD97 3 Bytes [09, 56, 80] {OR [ESI-0x80], EDX}
.text ntoskrnl.exe!IoWriteErrorLogEntry + 27 8050BDAC 3 Bytes [96, 55, 80]
.text ntoskrnl.exe!IoWriteErrorLogEntry + 2F 8050BDB4 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoWriteErrorLogEntry + 35 8050BDBA 3 Bytes [0E, 56, 80]
.text ntoskrnl.exe!IoWriteErrorLogEntry + 41 8050BDC6 3 Bytes [0E, 56, 80]
.text ...
.text ntoskrnl.exe!InbvNotifyDisplayOwnershipLost + 8 8050C1E2 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvNotifyDisplayOwnershipLost + 1A 8050C1F4 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvNotifyDisplayOwnershipLost + 26 8050C200 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvNotifyDisplayOwnershipLost + 2F 8050C209 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvNotifyDisplayOwnershipLost + C6 8050C2A0 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!MmAllocateContiguousMemory + 24 8050C3BE 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmAllocateContiguousMemory + AD 8050C447 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmAllocateContiguousMemory + D1 8050C46B 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmAllocateContiguousMemory + 1D3 8050C56D 3 Bytes [C6, 50, 80]
.text ntoskrnl.exe!MmAllocateContiguousMemory + 2CB 8050C665 3 Bytes [C6, 50, 80]
.text ...
.text ntoskrnl.exe!ExRegisterCallback + 4D 8050D0B9 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExRegisterCallback + 71 8050D0DD 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExRegisterCallback + 96 8050D102 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!ExRegisterCallback + AE 8050D11A 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!ExRegisterCallback + BF 8050D12B 3 Bytes [07, 56, 80]
.text ...
.text ntoskrnl.exe!InbvEnableBootDriver + 8 8050D1D2 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvEnableBootDriver + 15 8050D1DF 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvEnableBootDriver + 23 8050D1ED 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvEnableBootDriver + 38 8050D202 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvEnableBootDriver + AD 8050D277 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!HeadlessDispatch + 7 8050D2B7 3 Bytes [F0, 55, 80]
.text ntoskrnl.exe!InbvDisplayString + B 8050D313 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvDisplayString + 17 8050D31F 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvDisplayString + 23 8050D32B 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvDisplayString + 2A 8050D332 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvDisplayString + 75 8050D37D 3 Bytes [26, 61, 80]
.text ...
.text ntoskrnl.exe!InbvEnableDisplayString + A 8050D4E9 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvEnableDisplayString + 10 8050D4EF 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvEnableDisplayString + 29 8050D508 3 Bytes [08, 56, 80] {OR [ESI-0x80], DL}
.text ntoskrnl.exe!InbvEnableDisplayString + 3A 8050D519 3 Bytes [08, 56, 80] {OR [ESI-0x80], DL}
.text ntoskrnl.exe!InbvEnableDisplayString + 3F 8050D51E 3 Bytes [08, 56, 80] {OR [ESI-0x80], DL}
.text ntoskrnl.exe!ExAllocatePool + 34 8050D566 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExAllocatePool + 48 8050D57A 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!ExAllocatePool + 5B 8050D58D 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!ExAllocatePool + 6A 8050D59C 3 Bytes [D5, 50, 80]
.text ntoskrnl.exe!ExAllocatePool + 8A 8050D5BC 3 Bytes [80, 4D, 80]
.text ...
.text ntoskrnl.exe!RtlCopyString + 1AB 8050D824 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!RtlCopyString + 25A 8050D8D3 3 Bytes [15, 56, 80]
.text ntoskrnl.exe!RtlCopyString + 27A 8050D8F3 3 Bytes [14, 56, 80]
.text ntoskrnl.exe!RtlCopyString + 285 8050D8FE 3 Bytes [15, 56, 80]
.text ntoskrnl.exe!RtlCopyString + 2AC 8050D925 3 Bytes [15, 56, 80]
.text ntoskrnl.exe!IoSetCompletionRoutineEx + 44 8050D9E4 3 Bytes [DA, 50, 80] {FICOM DWORD [EAX-0x80]}
.text ntoskrnl.exe!IoSetCompletionRoutineEx + CB 8050DA6B 3 Bytes [91, 56, 80]
.text ntoskrnl.exe!IoSetCompletionRoutineEx + D1 8050DA71 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoSetCompletionRoutineEx + 12A 8050DACA 3 Bytes [91, 56, 80]
.text ntoskrnl.exe!IoSetCompletionRoutineEx + 130 8050DAD0 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeRegisterBugCheckCallback + C 8050DAEE 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeRegisterBugCheckCallback + 11 8050DAF3 3 Bytes [25, 56, 80]
.text ntoskrnl.exe!KeRegisterBugCheckCallback + 55 8050DB37 3 Bytes [25, 56, 80]
.text ntoskrnl.exe!KeRegisterBugCheckCallback + 5E 8050DB40 3 Bytes [25, 56, 80]
.text ntoskrnl.exe!KeRegisterBugCheckCallback + 67 8050DB49 3 Bytes [25, 56, 80]
.text ...
.text ntoskrnl.exe!Ke386QueryIoAccessMap + 19 8050DBF6 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!Ke386QueryIoAccessMap + 4C 8050DC29 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!Ke386IoSetAccessProcess + 2D 8050DC66 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!Ke386IoSetAccessProcess + 6B 8050DCA4 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!Ke386SetIoAccessMap + 22 8050DCF9 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!Ke386SetIoAccessMap + 39 8050DD10 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!Ke386SetIoAccessMap + 47 8050DD1E 3 Bytes [DD, 50, 80] {FST QWORD [EAX-0x80]}
.text ntoskrnl.exe!Ke386SetIoAccessMap + 9A 8050DD71 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!Ke386SetIoAccessMap + 128 8050DDFF 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!ExVerifySuite + 22 8050E0C2 3 Bytes [F0, 55, 80]
.text ntoskrnl.exe!KeRegisterBugCheckReasonCallback + D 8050E0DE 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeRegisterBugCheckReasonCallback + 12 8050E0E3 3 Bytes [25, 56, 80]
.text ntoskrnl.exe!KeRegisterBugCheckReasonCallback + 4A 8050E11B 3 Bytes [25, 56, 80]
.text ntoskrnl.exe!KeRegisterBugCheckReasonCallback + 53 8050E124 3 Bytes [25, 56, 80]
.text ntoskrnl.exe!KeRegisterBugCheckReasonCallback + 5B 8050E12C 3 Bytes [25, 56, 80]
.text ...
.text ntoskrnl.exe!MmIsDriverVerifying + 30 8050E20D 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmIsDriverVerifying + 52 8050E22F 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmIsDriverVerifying + B0 8050E28D 3 Bytes [C9, 5F, 80]
.text ntoskrnl.exe!MmIsDriverVerifying + B4 8050E291 3 Bytes [C9, 5F, 80]
.text ntoskrnl.exe!MmIsDriverVerifying + C6 8050E2A3 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
.text ...
.text ntoskrnl.exe!IoSetStartIoAttributes + 88 8050E39E 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!IoSetStartIoAttributes + C1 8050E3D7 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!IoSetStartIoAttributes + 174 8050E48A 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!IoSetStartIoAttributes + 194 8050E4AA 3 Bytes [90, 56, 80]
.text ntoskrnl.exe!IoSetStartIoAttributes + 19C 8050E4B2 3 Bytes [90, 56, 80]
.text ...
.text ntoskrnl.exe!FsRtlRegisterFileSystemFilterCallbacks + 76 80510717 3 Bytes [06, 56, 80]
.text ntoskrnl.exe!FsRtlRegisterFileSystemFilterCallbacks + 8C 8051072D 3 Bytes [06, 56, 80]
.text ntoskrnl.exe!FsRtlRegisterFileSystemFilterCallbacks + 97 80510738 3 Bytes [06, 56, 80]
.text ntoskrnl.exe!FsRtlRegisterFileSystemFilterCallbacks + 9C 8051073D 3 Bytes [06, 56, 80]
.text ntoskrnl.exe!FsRtlRegisterFileSystemFilterCallbacks + A1 80510742 3 Bytes [06, 56, 80]
.text ...
.text ntoskrnl.exe!IoReadDiskSignature + 8E 8051085F 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvInstallDisplayStringFilter + A 80510876 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvInstallDisplayStringFilter + 28 80510894 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvInstallDisplayStringFilter + 31 8051089D 3 Bytes [08, 56, 80] {OR [ESI-0x80], DL}
.text ntoskrnl.exe!InbvInstallDisplayStringFilter + 52 805108BE 3 Bytes [32, 55, 80] {XOR DL, [EBP-0x80]}
.text ntoskrnl.exe!InbvInstallDisplayStringFilter + 61 805108CD 3 Bytes [31, 55, 80] {XOR [EBP-0x80], EDX}
.text ...
.text ntoskrnl.exe!KeSetTimeIncrement + 14 80510D53 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!KeSetTimeIncrement + 1A 80510D59 3 Bytes [25, 56, 80]
.text ntoskrnl.exe!KeSetTimeIncrement + 22 80510D61 3 Bytes [25, 56, 80]
.text ntoskrnl.exe!KeSetTimeIncrement + 27 80510D66 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!KeSetTimeIncrement + 2C 80510D6B 3 Bytes [24, 56, 80]
.text ...
.text ntoskrnl.exe!KeI386AllocateGdtSelectors + E 80510D8A 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KeI386AllocateGdtSelectors + 16 80510D92 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KeI386AllocateGdtSelectors + 1E 80510D9A 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeI386AllocateGdtSelectors + 25 80510DA1 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KeI386AllocateGdtSelectors + 2E 80510DAA 3 Bytes [BA, 55, 80]
.text ...
.text ntoskrnl.exe!RtlFindLeastSignificantBit + 47 80511436 3 Bytes [01, 4F, 80] {ADD [EDI-0x80], ECX}
.text ntoskrnl.exe!RtlFindLeastSignificantBit + 5D 8051144C 3 Bytes [22, 51, 80] {AND DL, [ECX-0x80]}
.text ntoskrnl.exe!RtlFindLeastSignificantBit + 72 80511461 3 Bytes [AC, 69, 80]
.text ntoskrnl.exe!RtlFindLeastSignificantBit + 83 80511472 3 Bytes [AC, 69, 80]
.text ntoskrnl.exe!RtlFindLeastSignificantBit + D3 805114C2 3 Bytes [AB, 69, 80]
.text ...
.text ntoskrnl.exe!VfIsVerificationEnabled + 8 805115E6 3 Bytes [CD, 55, 80]
.text ntoskrnl.exe!VfIsVerificationEnabled + 59 80511637 3 Bytes [A1, 56, 80]
.text ntoskrnl.exe!_strupr + 180 8051181E 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!_strupr + 18B 80511829 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!_strupr + 196 80511834 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!_strupr + 1A1 8051183F 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!_strupr + 1AC 8051184A 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!atol + 14 8051198D 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!atol + 24 8051199D 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!atol + 7E 805119F7 3 Bytes [18, 56, 80] {SBB [ESI-0x80], DL}
.text ntoskrnl.exe!atol + 83 805119FC 3 Bytes [18, 56, 80] {SBB [ESI-0x80], DL}
.text ntoskrnl.exe!atol + 88 80511A01 3 Bytes [18, 56, 80] {SBB [ESI-0x80], DL}
.text ...
.text ntoskrnl.exe!isupper + 8 8051246E 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!isupper + 18 8051247E 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!isdigit + 8 80512497 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!isdigit + 18 805124A7 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!isspace + 8 805124C0 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!isspace + 18 805124D0 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!tolower + 8 805124E9 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!tolower + 18 805124F9 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!tolower + 93 80512574 3 Bytes [AB, 55, 80]
.text ntoskrnl.exe!tolower + 9B 8051257C 3 Bytes [AB, 55, 80]
.text ntoskrnl.exe!tolower + A0 80512581 3 Bytes [AB, 55, 80]
.text ...
.text ntoskrnl.exe!PsGetProcessImageFileName + 24 80513367 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PsGetProcessImageFileName + 37 8051337A 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PsGetProcessImageFileName + 5B 8051339E 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PsGetProcessImageFileName + 6E 805133B1 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PsGetProcessImageFileName + 92 805133D5 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!RtlFindNextForwardRunClear + 3C 80513468 3 Bytes CALL 8BD184A1
.text ntoskrnl.exe!RtlFindNextForwardRunClear + 7A 805134A6 3 Bytes CALL 77D184DF
.text ntoskrnl.exe!RtlFindNextForwardRunClear + 11C 80513548 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!RtlFindNextForwardRunClear + 200 8051362C 3 Bytes [97, 56, 80]
.text ntoskrnl.exe!RtlFindNextForwardRunClear + 22C 80513658 3 Bytes [76, 56, 80]
.text ntoskrnl.exe!RtlLookupElementGenericTable + 6D 80513819 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!RtlLookupElementGenericTable + 7F 8051382B 3 Bytes [AB, 55, 80]
.text ntoskrnl.exe!RtlLookupElementGenericTable + 93 8051383F 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!RtlLookupElementGenericTable + CB 80513877 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!RtlLookupElementGenericTable + 101 805138AD 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!IoMakeAssociatedIrp + 1F 80513B1F 3 Bytes [0E, 56, 80]
.text ntoskrnl.exe!IoMakeAssociatedIrp + 76 80513B76 3 Bytes [0C, 56, 80]
.text ntoskrnl.exe!RtlNumberOfSetBits + 23 80513D58 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!RtlNumberOfSetBits + 42 80513D77 3 Bytes [3C, 51, 80]
.text ntoskrnl.exe!RtlNumberOfSetBits + 108 80513E3D 3 Bytes [9A, 61, 80]
.text ntoskrnl.exe!RtlNumberOfSetBits + 10C 80513E41 3 Bytes [9A, 61, 80]
.text ntoskrnl.exe!RtlNumberOfSetBits + 118 80513E4D 3 Bytes [A0, 61, 80]
.text ...
.text ntoskrnl.exe!RtlClearAllBits + 34 80513E9D 3 Bytes [F5, 55, 80]
.text ntoskrnl.exe!RtlClearAllBits + 3D 80513EA6 3 Bytes [A9, 55, 80]
.text ntoskrnl.exe!RtlClearAllBits + 47 80513EB0 3 Bytes [02, 56, 80] {ADD DL, [ESI-0x80]}
.text ntoskrnl.exe!RtlClearAllBits + 4D 80513EB6 3 Bytes [F5, 55, 80]
.text ntoskrnl.exe!RtlClearAllBits + 164 80513FCD 3 Bytes [A9, 61, 80]
.text ...
.text ntoskrnl.exe!CcFastCopyWrite + 4 805143D5 3 Bytes [44, 51, 80]
.text ntoskrnl.exe!CcFastCopyWrite + B4 80514485 3 Bytes [D1, 51, 80] {RCL DWORD [ECX-0x80], 0x1}
.text ntoskrnl.exe!CcFastCopyWrite + B8 80514489 3 Bytes [D1, 51, 80] {RCL DWORD [ECX-0x80], 0x1}
.text ntoskrnl.exe!CcFastCopyWrite + 254 80514625 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcFastCopyWrite + 279 8051464A 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!RtlDeleteNoSplay + 159 805148CA 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!RtlDeleteNoSplay + 2BB 80514A2C 3 Bytes [AD, 55, 80]
.text ntoskrnl.exe!RtlDeleteNoSplay + 3D6 80514B47 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!RtlDeleteNoSplay + 44E 80514BBF 3 Bytes [A0, 55, 80]
.text ntoskrnl.exe!RtlDeleteNoSplay + 4BE 80514C2F 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!IoIsSystemThread + 4A 80514E6D 3 Bytes [9F, 56, 80]
.text ntoskrnl.exe!IoIsSystemThread + 6A 80514E8D 3 Bytes [32, 61, 80] {XOR AH, [ECX-0x80]}
.text ntoskrnl.exe!IoIsSystemThread + 6E 80514E91 3 Bytes [32, 61, 80] {XOR AH, [ECX-0x80]}
.text ntoskrnl.exe!IoIsSystemThread + 76 80514E99 3 Bytes [33, 61, 80] {XOR ESP, [ECX-0x80]}
.text ntoskrnl.exe!IoIsSystemThread + 7A 80514E9D 3 Bytes [33, 61, 80] {XOR ESP, [ECX-0x80]}
.text ...
.text ntoskrnl.exe!KeRemoveQueueDpc + 2E 80514F79 3 Bytes [7B, 61, 80]
.text ntoskrnl.exe!KeRemoveQueueDpc + 34 80514F7F 3 Bytes [76, 56, 80]
.text ntoskrnl.exe!KeSetBasePriorityThread + D 80514F99 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!ExSystemTimeToLocalTime + D 805150C3 3 Bytes [A8, 56, 80]
.text ntoskrnl.exe!ExSystemTimeToLocalTime + 16 805150CC 3 Bytes [A8, 56, 80]
.text ntoskrnl.exe!ExSystemTimeToLocalTime + EF 805151A5 3 Bytes [20, 5F, 80] {AND [EDI-0x80], BL}
.text ntoskrnl.exe!ExSystemTimeToLocalTime + F3 805151A9 3 Bytes [21, 5F, 80] {AND [EDI-0x80], EBX}
.text ntoskrnl.exe!ExSystemTimeToLocalTime + FB 805151B1 3 Bytes [21, 5F, 80] {AND [EDI-0x80], EBX}
.text ...
.text ntoskrnl.exe!IoGetAttachedDeviceReference + D 80515244 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoGetAttachedDeviceReference + 2B 80515262 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!RtlLookupElementGenericTableAvl + 33 805152A5 3 Bytes [FF, 5F, 80] {CALL FAR DWORD [EDI-0x80]}
.text ntoskrnl.exe!RtlLookupElementGenericTableAvl + 37 805152A9 3 Bytes [FF, 5F, 80] {CALL FAR DWORD [EDI-0x80]}
.text ntoskrnl.exe!RtlLookupElementGenericTableAvl + 3F 805152B1 3 Bytes [00, 60, 80] {ADD [EAX-0x80], AH}
.text ntoskrnl.exe!RtlLookupElementGenericTableAvl + 43 805152B5 3 Bytes [00, 60, 80] {ADD [EAX-0x80], AH}
.text ntoskrnl.exe!IoGetRequestorSessionId + 177 80515495 3 Bytes [30, 61, 80] {XOR [ECX-0x80], AH}
.text ntoskrnl.exe!IoGetRequestorSessionId + 17B 80515499 3 Bytes [30, 61, 80] {XOR [ECX-0x80], AH}
.text ntoskrnl.exe!IoGetRequestorSessionId + 183 805154A1 3 Bytes [30, 61, 80] {XOR [ECX-0x80], AH}
.text ntoskrnl.exe!IoGetRequestorSessionId + 187 805154A5 3 Bytes [30, 61, 80] {XOR [ECX-0x80], AH}
.text ntoskrnl.exe!IoGetRequestorSessionId + 18F 805154AD 3 Bytes [30, 61, 80] {XOR [ECX-0x80], AH}
.text ...
.text ntoskrnl.exe!FsRtlRemovePerStreamContext + 1B 80515B3C 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlRemovePerStreamContext + 57 80515B78 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlRemovePerStreamContext + 90 80515BB1 3 Bytes [CB, 5E, 80]
.text ntoskrnl.exe!FsRtlRemovePerStreamContext + 9C 80515BBD 3 Bytes [CD, 5E, 80]
.text ntoskrnl.exe!FsRtlRemovePerStreamContext + A5 80515BC6 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!KePulseEvent + D 80515C78 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KePulseEvent + 5C 80515CC7 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KePulseEvent + 82 80515CED 3 Bytes [5D, 51, 80]
.text ntoskrnl.exe!KePulseEvent + 8D 80515CF8 3 Bytes [79, 56, 80]
.text ntoskrnl.exe!KePulseEvent + 9F 80515D0A 3 Bytes [80, 4D, 80]
.text ...
.text ntoskrnl.exe!FsRtlPrivateLock + 4 80515D76 3 Bytes [5E, 51, 80]
.text ntoskrnl.exe!FsRtlPrivateLock + 74 80515DE6 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlPrivateLock + DF 80515E51 3 Bytes [F7, 51, 80] {NOT DWORD [ECX-0x80]}
.text ntoskrnl.exe!FsRtlPrivateLock + FE 80515E70 3 Bytes [B3, 55, 80]
.text ntoskrnl.exe!FsRtlPrivateLock + 16C 80515EDE 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!FsRtlFastUnlockSingle + 5F 80516205 3 Bytes [F7, 5E, 80] {NEG DWORD [ESI-0x80]}
.text ntoskrnl.exe!FsRtlFastUnlockSingle + 63 80516209 3 Bytes [F7, 5E, 80] {NEG DWORD [ESI-0x80]}
.text ntoskrnl.exe!FsRtlFastUnlockSingle + 6B 80516211 3 Bytes [F7, 5E, 80] {NEG DWORD [ESI-0x80]}
.text ntoskrnl.exe!FsRtlFastUnlockSingle + 6F 80516215 3 Bytes [F7, 5E, 80] {NEG DWORD [ESI-0x80]}
.text ntoskrnl.exe!FsRtlFastUnlockSingle + 77 8051621D 3 Bytes [F8, 5E, 80]
.text ...
.text ntoskrnl.exe!FsRtlFastCheckLockForWrite + 62 80516594 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlFastCheckLockForWrite + C6 805165F8 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlFastCheckLockForWrite + 10D 8051663F 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlFastCheckLockForWrite + 178 805166AA 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlFastCheckLockForWrite + 220 80516752 3 Bytes [06, 56, 80]
.text ...
.text ntoskrnl.exe!FsRtlAllocateFileLock + 7 80516788 3 Bytes [AE, 55, 80]
.text ntoskrnl.exe!FsRtlAllocateFileLock + 30 805167B1 3 Bytes [68, 51, 80]
.text ntoskrnl.exe!FsRtlAllocateFileLock + 3F 805167C0 3 Bytes [06, 56, 80]
.text ntoskrnl.exe!FsRtlAllocateFileLock + 45 805167C6 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlAllocateFileLock + 55 805167D6 3 Bytes [AF, 55, 80]
.text ...
.text ntoskrnl.exe!RtlNtStatusToDosErrorNoTeb + 47 805173A4 3 Bytes [74, 51, 80]
.text ntoskrnl.exe!RtlNtStatusToDosErrorNoTeb + 51 805173AE 3 Bytes [74, 51, 80]
.text ntoskrnl.exe!RtlNtStatusToDosErrorNoTeb + 59 805173B6 3 Bytes [74, 51, 80]
.text ntoskrnl.exe!RtlNtStatusToDosErrorNoTeb + 76 805173D3 3 Bytes [74, 51, 80]
.text ntoskrnl.exe!RtlNtStatusToDosErrorNoTeb + 7E 805173DB 3 Bytes [74, 51, 80]
.text ...
.text ntoskrnl.exe!IoCancelIrp + 9 80518482 3 Bytes [B8, 55, 80]
.text ntoskrnl.exe!IoCancelIrp + 5D 805184D6 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoCancelIrp + 79 805184F2 3 Bytes [41, 62, 80]
.text ntoskrnl.exe!IoCancelIrp + 7E 805184F7 3 Bytes [28, 4F, 80] {SUB [EDI-0x80], CL}
.text ntoskrnl.exe!IoCancelIrp + A6 8051851F 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExExtendZone + DB 80518615 3 Bytes [B9, 61, 80]
.text ntoskrnl.exe!ExExtendZone + DF 80518619 3 Bytes [B9, 61, 80]
.text ntoskrnl.exe!ExExtendZone + E5 8051861F 3 Bytes [76, 56, 80]
.text ntoskrnl.exe!IoBuildDeviceIoControlRequest + 4 80518630 3 Bytes [86, 51, 80] {XCHG [ECX-0x80], DL}
.text ntoskrnl.exe!IoBuildDeviceIoControlRequest + 1E 8051864A 3 Bytes [B7, 55, 80]
.text ntoskrnl.exe!IoBuildDeviceIoControlRequest + 92 805186BE 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!IoBuildDeviceIoControlRequest + B2 805186DE 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!IoBuildDeviceIoControlRequest + C9 805186F5 3 Bytes [07, 52, 80]
.text ...
.text ntoskrnl.exe!KeSetAffinityThread + C 80518887 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeSetAffinityThread + AC 80518927 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KeSetAffinityThread + F5 80518970 3 Bytes [82, 4D, 80]
.text ntoskrnl.exe!KeSetAffinityThread + 104 8051897F 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeSetAffinityThread + 109 80518984 3 Bytes [79, 56, 80]
.text ...
.text ntoskrnl.exe!IoAllocateAdapterChannel + 27 80518BF5 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!IoCsqInsertIrp + 43 80518C7C 3 Bytes [C5, 51, 80] {LDS EDX, DWORD [ECX-0x80]}
.text ntoskrnl.exe!IoBuildSynchronousFsdRequest + 30 80518DA1 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!IoBuildSynchronousFsdRequest + 50 80518DC1 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!ExNotifyCallback + 14 805190EC 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExNotifyCallback + 24 805190FC 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExGetPreviousMode + 15 8051914A 3 Bytes [F5, 55, 80]
.text ntoskrnl.exe!RtlMapSecurityErrorToNtStatus + 43 805191CD 3 Bytes [FB, 60, 80]
.text ntoskrnl.exe!RtlMapSecurityErrorToNtStatus + 47 805191D1 3 Bytes [FB, 60, 80]
.text ntoskrnl.exe!RtlMapSecurityErrorToNtStatus + 64 805191EE 3 Bytes [90, 56, 80]
.text ntoskrnl.exe!RtlMapSecurityErrorToNtStatus + 6A 805191F4 3 Bytes [90, 56, 80]
.text ntoskrnl.exe!RtlMapSecurityErrorToNtStatus + B0 8051923A 3 Bytes [3E, 51, 80]
.text ...
.text ntoskrnl.exe!PoRegisterSystemState + 66 805192FF 3 Bytes [2D, 56, 80]
.text ntoskrnl.exe!PoRegisterSystemState + 8B 80519324 3 Bytes [9E, 55, 80]
.text ntoskrnl.exe!RtlInsertElementGenericTableAvl + 6E 8051944D 3 Bytes [5F, 61, 80]
.text ntoskrnl.exe!RtlInsertElementGenericTableAvl + 72 80519451 3 Bytes [5F, 61, 80]
.text ntoskrnl.exe!RtlInsertElementGenericTableAvl + 7A 80519459 3 Bytes [5F, 61, 80]
.text ntoskrnl.exe!RtlInsertElementGenericTableAvl + 7E 8051945D 3 Bytes [5F, 61, 80]
.text ntoskrnl.exe!RtlInsertElementGenericTableAvl + BC 8051949B 3 Bytes [81, 55, 80]
.text ...
.text ntoskrnl.exe!RtlWalkFrameChain + 4 80519604 3 Bytes [97, 51, 80]
.text ntoskrnl.exe!RtlWalkFrameChain + 53 80519653 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!RtlWalkFrameChain + 8A 8051968A 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!RtlWalkFrameChain + B8 805196B8 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!RtlWalkFrameChain + 107 80519707 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!IoInitializeIrp + 8 805197BC 3 Bytes [B8, 55, 80]
.text ntoskrnl.exe!KeSetIdealProcessorThread + D 80519839 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeSetIdealProcessorThread + 22 8051984E 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KeSetIdealProcessorThread + 3C 80519868 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KeSetIdealProcessorThread + 69 80519895 3 Bytes [13, 60, 80] {ADC ESP, [EAX-0x80]}
.text ntoskrnl.exe!KeSetIdealProcessorThread + 6D 80519899 3 Bytes [13, 60, 80] {ADC ESP, [EAX-0x80]}
.text ntoskrnl.exe!_stricmp + 6B 8051990C 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!_stricmp + 82 80519923 3 Bytes [9E, 55, 80]
.text ntoskrnl.exe!_stricmp + 8C 8051992D 3 Bytes [9E, 55, 80]
.text ntoskrnl.exe!_stricmp + 99 8051993A 3 Bytes [9E, 55, 80]
.text ntoskrnl.exe!_stricmp + 154 805199F5 3 Bytes [BF, 60, 80]
.text ...
.text ntoskrnl.exe!MmUnlockPagableImageSection + 8A 8051A1ED 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmUnlockPagableImageSection + 95 8051A1F8 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmUnlockPagableImageSection + B8 8051A21B 3 Bytes [A2, 55, 80]
.text ntoskrnl.exe!MmUnlockPagableImageSection + CF 8051A232 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmUnlockPagableImageSection + E1 8051A244 3 Bytes [76, 56, 80]
.text ...
.text ntoskrnl.exe!PoSetSystemState + 2F 8051A48C 3 Bytes [90, 56, 80]
.text ntoskrnl.exe!PoSetSystemState + 3B 8051A498 3 Bytes [8E, 56, 80] {MOV SS, [ESI-0x80]}
.text ntoskrnl.exe!PoSetSystemState + 51 8051A4AE 3 Bytes [C4, 55, 80] {LES EDX, DWORD [EBP-0x80]}
.text ntoskrnl.exe!PoSetSystemState + 5D 8051A4BA 3 Bytes [C4, 55, 80] {LES EDX, DWORD [EBP-0x80]}
.text ntoskrnl.exe!PoSetSystemState + 64 8051A4C1 3 Bytes [C4, 55, 80] {LES EDX, DWORD [EBP-0x80]}
.text ...
.text ntoskrnl.exe!KeAreApcsDisabled + 31 8051AE95 3 Bytes [BC, 55, 80]
.text ntoskrnl.exe!KeAreApcsDisabled + 4D 8051AEB1 3 Bytes [BC, 55, 80]
.text ntoskrnl.exe!KeAreApcsDisabled + 54 8051AEB8 3 Bytes [34, 56, 80]
.text ntoskrnl.exe!KeAreApcsDisabled + 75 8051AED9 3 Bytes [34, 56, 80]
.text ntoskrnl.exe!KeAreApcsDisabled + 7B 8051AEDF 3 Bytes [BC, 55, 80]
.text ...
.text ntoskrnl.exe!KeInsertHeadQueue + C 8051AF67 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeInsertHeadQueue + 32 8051AF8D 3 Bytes [D0, 69, 80] {SHR BYTE [ECX-0x80], 0x1}
.text ntoskrnl.exe!KeInsertHeadQueue + 38 8051AF93 3 Bytes [D0, 69, 80] {SHR BYTE [ECX-0x80], 0x1}
.text ntoskrnl.exe!KeInsertHeadQueue + 3C 8051AF97 3 Bytes [C0, 69, 80]
.text ntoskrnl.exe!KeInsertHeadQueue + 60 8051AFBB 3 Bytes [A2, 55, 80]
.text ...
.text ntoskrnl.exe!ZwSignalAndWaitForSingleObject + 4 8051C36D 3 Bytes [C4, 51, 80] {LES EDX, DWORD [ECX-0x80]}
.text ntoskrnl.exe!ZwSignalAndWaitForSingleObject + 80 8051C3E9 3 Bytes [A9, 56, 80]
.text ntoskrnl.exe!ZwSignalAndWaitForSingleObject + E4 8051C44D 3 Bytes [A4, 52, 80]
.text ntoskrnl.exe!ZwSignalAndWaitForSingleObject + E8 8051C451 3 Bytes [A4, 52, 80]
.text ntoskrnl.exe!ZwSignalAndWaitForSingleObject + F0 8051C459 3 Bytes [A4, 52, 80]
.text ...
.text ntoskrnl.exe!IoSetFileOrigin + BD 8051C887 3 Bytes [2D, 56, 80]
.text ntoskrnl.exe!IoSetFileOrigin + 10D 8051C8D7 3 Bytes [9E, 55, 80]
.text ntoskrnl.exe!IoSetFileOrigin + 11B 8051C8E5 3 Bytes [C9, 51, 80]
.text ntoskrnl.exe!IoSetFileOrigin + 2BF 8051CA89 3 Bytes [CA, 51, 80] {RETF 0x8051}
.text ntoskrnl.exe!IoSetFileOrigin + 3ED 8051CBB7 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ...
.text ntoskrnl.exe!CcDeferWrite + 67 8052F7EC 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcDeferWrite + 6F 8052F7F4 3 Bytes [91, 55, 80]
.text ntoskrnl.exe!CcDeferWrite + 8B 8052F810 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcDeferWrite + 91 8052F816 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcDeferWrite + A8 8052F82D 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcRepinBcb + 1B 8052F8A0 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcRepinBcb + 27 8052F8AC 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcRepinBcb + F3 8052F978 3 Bytes [F9, 52, 80]
.text ntoskrnl.exe!CcRepinBcb + 100 8052F985 3 Bytes [F9, 52, 80]
.text ntoskrnl.exe!CcUnpinRepinnedBcb + 90 8052FAB4 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcUnpinRepinnedBcb + 94 8052FAB8 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcIsThereDirtyData + 10 8052FB27 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcIsThereDirtyData + 1B 8052FB32 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcIsThereDirtyData + 61 8052FB78 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcIsThereDirtyData + 80 8052FB97 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcIsThereDirtyData + 8F 8052FBA6 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcGetLsnForFileObject + 37 8052FBF7 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcGetLsnForFileObject + B4 8052FC74 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcGetFileObjectFromSectionPtrs + E 8052FD47 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcGetFileObjectFromSectionPtrs + 26 8052FD5F 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcGetFileObjectFromBcb + E4 8052FE5B 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcGetFileObjectFromBcb + 109 8052FE80 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcGetFileObjectFromBcb + 10F 8052FE86 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcGetFileObjectFromBcb + 11A 8052FE91 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcGetFileObjectFromBcb + 120 8052FE97 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ...
.text ntoskrnl.exe!CcMdlWriteAbort + 48 8052FF37 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcMdlWriteAbort + 6D 8052FF5C 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcMdlWriteAbort + 73 8052FF62 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcMdlWriteAbort + 7E 8052FF6D 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcMdlWriteAbort + 84 8052FF73 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ...
.text ntoskrnl.exe!CcPrepareMdlWrite + 4 8052FFA7 3 Bytes [02, 53, 80] {ADD DL, [EBX-0x80]}
.text ntoskrnl.exe!CcPrepareMdlWrite + E5 80530088 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcPrepareMdlWrite + 100 805300A3 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcPrepareMdlWrite + 1AC 8053014F 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcPrepareMdlWrite + 1D0 80530173 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!CcWaitForCurrentLazyWriterActivity + 87 80530358 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!CcWaitForCurrentLazyWriterActivity + 8F 80530360 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcWaitForCurrentLazyWriterActivity + 95 80530366 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcWaitForCurrentLazyWriterActivity + A0 80530371 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ntoskrnl.exe!CcWaitForCurrentLazyWriterActivity + A6 80530377 3 Bytes [F6, 55, 80] {NOT BYTE [EBP-0x80]}
.text ...
.text ntoskrnl.exe!FsRtlIncrementCcFastReadResourceMiss + 3 805305C8 3 Bytes [F5, 55, 80]
.text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 4 80530663 3 Bytes [07, 53, 80]
.text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntryAndIndex + 17 80530676 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntryAndIndex + B8 80530717 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlLookupLastLargeMcbEntryAndIndex + CA 80530729 3 Bytes [07, 53, 80]
.text ntoskrnl.exe!FsRtlSplitLargeMcb + 4 8053081F 3 Bytes [09, 53, 80] {OR [EBX-0x80], EDX}
.text ntoskrnl.exe!FsRtlSplitLargeMcb + 17 80530832 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlSplitLargeMcb + 169 80530984 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlSplitLargeMcb + 176 80530991 3 Bytes [09, 53, 80] {OR [EBX-0x80], EDX}
.text ntoskrnl.exe!FsRtlRemoveMcbEntry + 4 805309F4 3 Bytes [0A, 53, 80] {OR DL, [EBX-0x80]}
.text ntoskrnl.exe!FsRtlRemoveMcbEntry + 17 80530A07 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlRemoveMcbEntry + 48 80530A38 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlRemoveMcbEntry + 59 80530A49 3 Bytes [0A, 53, 80] {OR DL, [EBX-0x80]}
.text ntoskrnl.exe!FsRtlLookupMcbEntry + 14B 80530BA1 3 Bytes [B1, 55, 80]
.text ntoskrnl.exe!FsRtlLookupMcbEntry + 26D 80530CC3 3 Bytes [B0, 55, 80]
.text ntoskrnl.exe!FsRtlLookupMcbEntry + 39E 80530DF4 3 Bytes [06, 56, 80]
.text ntoskrnl.exe!FsRtlLookupMcbEntry + 3A4 80530DFA 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlLookupMcbEntry + 3B0 80530E06 3 Bytes [06, 56, 80]
.text ...
.text ntoskrnl.exe!FsRtlAllocatePoolWithQuotaTag + B0 8053109E 3 Bytes [11, 53, 80] {ADC [EBX-0x80], EDX}
.text ntoskrnl.exe!FsRtlAllocatePoolWithQuotaTag + DC 805310CA 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlAllocatePoolWithQuotaTag + 145 80531133 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlAllocatePoolWithQuotaTag + 153 80531141 3 Bytes [11, 53, 80] {ADC [EBX-0x80], EDX}
.text ntoskrnl.exe!FsRtlAllocatePoolWithQuotaTag + 171 8053115F 3 Bytes [12, 53, 80] {ADC DL, [EBX-0x80]}
.text ...
.text ntoskrnl.exe!FsRtlCreateSectionForDataScan + 84 8053191F 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlCreateSectionForDataScan + E0 8053197B 3 Bytes [1A, 53, 80] {SBB DL, [EBX-0x80]}
.text ntoskrnl.exe!FsRtlCreateSectionForDataScan + 133 805319CE 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlLookupPerFileObjectContext + 2A 80531A91 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlLookupPerFileObjectContext + 83 80531AEA 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlRemovePerFileObjectContext + 2D 80531B2D 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlRemovePerFileObjectContext + 94 80531B94 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlInsertPerFileObjectContext + A1 80531C6B 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlInsertPerFileObjectContext + BB 80531C85 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!FsRtlInsertPerFileObjectContext + 102 80531CCC 3 Bytes [05, 56, 80]
.text ntoskrnl.exe!FsRtlInsertPerFileObjectContext + 10D 80531CD7 3 Bytes [05, 56, 80]
.text ntoskrnl.exe!FsRtlInsertPerFileObjectContext + 16F 80531D39 3 Bytes [05, 56, 80]
.text ...
.text ntoskrnl.exe!InbvIsBootDriverInstalled + 2 80531FE4 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvResetDisplay + 3 80531FF6 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvResetDisplay + C 80531FFF 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvResetDisplay + 31 80532024 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvResetDisplay + 3A 8053202D 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvResetDisplay + 5C 8053204F 3 Bytes [B4, 55, 80]
.text ...
.text ntoskrnl.exe!InbvSolidColorFill + D 80532084 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvSolidColorFill + 15 8053208C 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvSolidColorFill + 4D 805320C4 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
.text ntoskrnl.exe!InbvSolidColorFill + 54 805320CB 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
.text ntoskrnl.exe!InbvSetTextColor + 19 8053211C 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
.text ntoskrnl.exe!InbvSetTextColor + 21 80532124 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
.text ntoskrnl.exe!InbvSetTextColor + 2D 80532130 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
.text ntoskrnl.exe!InbvSetTextColor + 36 80532139 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
.text ntoskrnl.exe!InbvSetTextColor + 40 80532143 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
.text ...
.text ntoskrnl.exe!InbvAcquireDisplayOwnership + 2 805321C1 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvAcquireDisplayOwnership + C 805321CB 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvAcquireDisplayOwnership + 1B 805321DA 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvAcquireDisplayOwnership + 3F 805321FE 3 Bytes [B4, 55, 80]
.text ntoskrnl.exe!InbvSetScrollRegion + 32 80532251 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!InbvSetScrollRegion + 57 80532276 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoFreeErrorLogEntry + 2C 80532301 3 Bytes [0E, 56, 80]
.text ntoskrnl.exe!IoCheckQuerySetFileInformation + 1A 80532353 3 Bytes [F6, 57, 80] {NOT BYTE [EDI-0x80]}
.text ntoskrnl.exe!IoCheckQuerySetFileInformation + 21 8053235A 3 Bytes CALL 84DDA3B6
.text ntoskrnl.exe!IoCheckQuerySetVolumeInformation + B 8053238E 3 Bytes [24, 62, 80]
.text ntoskrnl.exe!IoCheckQuerySetVolumeInformation + 12 80532395 3 Bytes [C9, 57, 80]
.text ntoskrnl.exe!IoRaiseInformationalHardError + 60 805324E7 3 Bytes [0E, 56, 80]
.text ntoskrnl.exe!IoRaiseInformationalHardError + 74 805324FB 3 Bytes [0E, 56, 80]
.text ntoskrnl.exe!IoRaiseInformationalHardError + 113 8053259A 3 Bytes [0E, 56, 80]
.text ntoskrnl.exe!IoRaiseInformationalHardError + 11F 805325A6 3 Bytes [30, 62, 80] {XOR [EDX-0x80], AH}
.text ntoskrnl.exe!IoRaiseInformationalHardError + 125 805325AC 3 Bytes [0A, 57, 80] {OR DL, [EDI-0x80]}
.text ...
.text ntoskrnl.exe!IoCallDriver + E 80532830 3 Bytes [B7, 55, 80]
.text ntoskrnl.exe!IoCompleteRequest + E 8053284F 3 Bytes [B7, 55, 80]
.text ntoskrnl.exe!IoSetSystemPartition + A 80532915 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!IoSetSystemPartition + 18 80532923 3 Bytes [2A, 53, 80] {SUB DL, [EBX-0x80]}
.text ntoskrnl.exe!IoValidateDeviceIoControlAccess + 152 80532C32 3 Bytes [B7, 55, 80]
.text ntoskrnl.exe!IoAttachDeviceByPointer + 153 80532DE3 3 Bytes [0B, 56, 80] {OR EDX, [ESI-0x80]}
.text ntoskrnl.exe!IoAttachDeviceByPointer + 163 80532DF3 3 Bytes [09, 56, 80] {OR [ESI-0x80], EDX}
.text ntoskrnl.exe!IoAttachDeviceByPointer + 199 80532E29 3 Bytes [09, 56, 80] {OR [ESI-0x80], EDX}
.text ntoskrnl.exe!IoAttachDeviceByPointer + 19F 80532E2F 3 Bytes [0B, 56, 80] {OR EDX, [ESI-0x80]}
.text ntoskrnl.exe!IoAttachDeviceByPointer + 1C8 80532E58 3 Bytes [32, 55, 80] {XOR DL, [EBP-0x80]}
.text ...
.text ntoskrnl.exe!KeCapturePersistentThreadState + 58 80533777 3 Bytes CALL 09D38CAC
.text ntoskrnl.exe!KeCapturePersistentThreadState + 60 8053377F 3 Bytes CALL 41D38CB4
.text ntoskrnl.exe!KeCapturePersistentThreadState + 77 80533796 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!KeCapturePersistentThreadState + 81 805337A0 3 Bytes [34, 56, 80]
.text ntoskrnl.exe!KeCapturePersistentThreadState + 88 805337A7 3 Bytes [96, 56, 80]
.text ...
.text ntoskrnl.exe!IoVolumeDeviceToDosName + D 80534DAF 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!IoVolumeDeviceToDosName + B2 80534E54 3 Bytes [50, 53, 80]
.text ntoskrnl.exe!IoVolumeDeviceToDosName + 2E9 8053508B 3 Bytes [B8, 55, 80]
.text ntoskrnl.exe!IoVolumeDeviceToDosName + 3BA 8053515C 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!IoVolumeDeviceToDosName + 3D6 80535178 3 Bytes [80, 4D, 80]
.text ...
.text ntoskrnl.exe!IoRequestDeviceEject + 20 80535805 3 Bytes [49, 62, 80]
.text ntoskrnl.exe!IoRequestDeviceEject + B1 80535896 3 Bytes [66, 62, 80]
.text ntoskrnl.exe!IoRequestDeviceEject + 184 80535969 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoRequestDeviceEject + 195 8053597A 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!IoRequestDeviceEject + 212 805359F7 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!KdDisableDebugger + B 80535F30 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KdDisableDebugger + 19 80535F3E 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KdDisableDebugger + 21 80535F46 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KdDisableDebugger + 2B 80535F50 3 Bytes [36, 55, 80]
.text ntoskrnl.exe!KdDisableDebugger + 32 80535F57 3 Bytes [BA, 55, 80]
.text ...
.text ntoskrnl.exe!KdEnableDebugger + B 80535FA9 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KdEnableDebugger + 19 80535FB7 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KdEnableDebugger + 21 80535FBF 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KdEnableDebugger + 2E 80535FCC 3 Bytes [90, 56, 80]
.text ntoskrnl.exe!KdEnableDebugger + 3F 80535FDD 3 Bytes [90, 56, 80]
.text ...
.text ntoskrnl.exe!KdPowerTransition + 73 8053606E 3 Bytes [97, 55, 80]
.text ntoskrnl.exe!KdPowerTransition + 9F 8053609A 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KdPowerTransition + A7 805360A2 3 Bytes [17, 56, 80]
.text ntoskrnl.exe!KdPowerTransition + AE 805360A9 3 Bytes [17, 56, 80]
.text ntoskrnl.exe!KdPowerTransition + D4 805360CF 3 Bytes [32, 55, 80] {XOR DL, [EBP-0x80]}
.text ...
.text ntoskrnl.exe!KeSetDmaIoCoherency + A 80536331 3 Bytes [24, 56, 80]
.text ntoskrnl.exe!KeSetDmaIoCoherency + 45 8053636C 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KeSetDmaIoCoherency + 53 8053637A 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KeAcquireInterruptSpinLock + 10 80536417 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeReleaseInterruptSpinLock + 16 8053644C 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeReleaseInterruptSpinLock + 8F 805364C5 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeReleaseInterruptSpinLock + 148 8053657E 3 Bytes [66, 53, 80]
.text ntoskrnl.exe!KeReleaseInterruptSpinLock + 19F 805365D5 3 Bytes [66, 53, 80]
.text ntoskrnl.exe!KeReleaseInterruptSpinLock + 1BB 805365F1 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
.text ...
.text ntoskrnl.exe!KeEnterKernelDebugger + 3 8053682E 3 Bytes [9A, 55, 80]
.text ntoskrnl.exe!KeEnterKernelDebugger + 11 8053683C 3 Bytes [78, 55, 80]
.text ntoskrnl.exe!KeEnterKernelDebugger + 22 8053684D 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KeEnterKernelDebugger + 2A 80536855 3 Bytes [36, 55, 80]
.text ntoskrnl.exe!KeDeregisterBugCheckCallback + D 80536884 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeDeregisterBugCheckCallback + 12 80536889 3 Bytes [25, 56, 80]
.text ntoskrnl.exe!KeDeregisterBugCheckCallback + 46 805368BD 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeDeregisterBugCheckCallback + 64 805368DB 3 Bytes [69, 53, 80]
.text ntoskrnl.exe!KeDeregisterBugCheckCallback + 6E 805368E5 3 Bytes [25, 56, 80]
.text ...
.text ntoskrnl.exe!KeDeregisterBugCheckReasonCallback + D 805369AC 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeDeregisterBugCheckReasonCallback + 12 805369B1 3 Bytes [25, 56, 80]
.text ntoskrnl.exe!KeDeregisterBugCheckReasonCallback + 46 805369E5 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeDeregisterBugCheckReasonCallback + 64 80536A03 3 Bytes [6A, 53, 80]
.text ntoskrnl.exe!KeDeregisterBugCheckReasonCallback + 6E 80536A0D 3 Bytes [25, 56, 80]
.text ...
.text ntoskrnl.exe!KeBugCheckEx + 3D 8053769C 3 Bytes [78, 55, 80]
.text ntoskrnl.exe!KeBugCheckEx + 54 805376B3 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeBugCheckEx + 60 805376BF 3 Bytes [25, 56, 80]
.text ntoskrnl.exe!KeBugCheckEx + 1E9 80537848 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeBugCheckEx + 1FE 8053785D 3 Bytes [BA, 55, 80]
.text ...
.text ntoskrnl.exe!KeI386GetLid + E 80537ACD 3 Bytes [77, 55, 80]
.text ntoskrnl.exe!KeI386GetLid + 3D 80537AFC 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KeI386GetLid + 5C 80537B1B 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KeI386GetLid + 77 80537B36 3 Bytes [77, 55, 80]
.text ntoskrnl.exe!KeI386GetLid + 7E 80537B3D 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ...
.text ntoskrnl.exe!KeI386ReleaseLid + 8 80537C43 3 Bytes [77, 55, 80]
.text ntoskrnl.exe!KeI386ReleaseLid + 19 80537C54 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KeI386ReleaseLid + 22 80537C5D 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeI386ReleaseLid + 2C 80537C67 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KeI386ReleaseLid + 4E 80537C89 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ...
.text ntoskrnl.exe!KeI386AbiosCall + A 80537CC7 3 Bytes [77, 55, 80]
.text ntoskrnl.exe!KeI386AbiosCall + 1E 80537CDB 3 Bytes [77, 55, 80]
.text ntoskrnl.exe!KeI386AbiosCall + 31 80537CEE 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KeI386ReleaseGdtSelectors + A 80537D69 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KeI386ReleaseGdtSelectors + 12 80537D71 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeI386ReleaseGdtSelectors + 18 80537D77 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KeI386ReleaseGdtSelectors + 26 80537D85 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KeI386ReleaseGdtSelectors + 3B 80537D9A 3 Bytes [BA, 55, 80]
.text ...
.text ntoskrnl.exe!KeI386FlatToGdtSelector + 9 80537DD3 3 Bytes [77, 55, 80]
.text ntoskrnl.exe!KeI386FlatToGdtSelector + 30 80537DFA 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KeI386FlatToGdtSelector + 38 80537E02 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeI386FlatToGdtSelector + 47 80537E11 3 Bytes [22, 56, 80] {AND DL, [ESI-0x80]}
.text ntoskrnl.exe!KeI386FlatToGdtSelector + 77 80537E41 3 Bytes [BA, 55, 80]
.text ...
.text ntoskrnl.exe!KeRemoveEntryDeviceQueue + 15 80537F59 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeRemoveEntryDeviceQueue + 37 80537F7B 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeRemoveEntryDeviceQueue + 9E 80537FE2 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeQueryPriorityThread + 56 8053809A 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!KeQueryPriorityThread + BE 80538102 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeQueryPriorityThread + 117 8053815B 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeQueryPriorityThread + 13A 8053817E 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!KeQueryPriorityThread + 170 805381B4 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!KeRaiseUserException + 4 80538388 3 Bytes [84, 53, 80] {TEST [EBX-0x80], DL}
.text ntoskrnl.exe!KeRaiseUserException + 44 805383C8 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!KeRaiseUserException + 6A 805383EE 3 Bytes [24, 56, 80]
.text ntoskrnl.exe!KeRaiseUserException + 99 8053841D 3 Bytes [83, 53, 80]
.text ntoskrnl.exe!KeRaiseUserException + 9D 80538421 3 Bytes [84, 53, 80] {TEST [EBX-0x80], DL}
.text ntoskrnl.exe!KeSaveStateForHibernate + 277 805386D6 3 Bytes [82, 4D, 80]
.text ntoskrnl.exe!KeSaveStateForHibernate + 292 805386F1 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KeSaveStateForHibernate + 2AE 8053870D 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
.text ntoskrnl.exe!KeSaveStateForHibernate + 2E7 80538746 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!KeSaveStateForHibernate + 3FC 8053885B 3 Bytes [72, 4E, 80]
.text ...
.text ntoskrnl.exe!MmMapLockedPagesWithReservedMapping + CA 8053A773 3 Bytes [7B, 55, 80]
.text ntoskrnl.exe!MmMapLockedPagesWithReservedMapping + 110 8053A7B9 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!MmMapLockedPagesWithReservedMapping + 121 8053A7CA 3 Bytes [BC, 55, 80]
.text ntoskrnl.exe!MmMapLockedPagesWithReservedMapping + 144 8053A7ED 3 Bytes [76, 56, 80]
.text ntoskrnl.exe!MmMapLockedPagesWithReservedMapping + 180 8053A829 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!MmUnmapReservedMapping + CD 8053AA43 3 Bytes [83, 4D, 80]
.text ntoskrnl.exe!MmUnmapReservedMapping + E4 8053AA5A 3 Bytes [83, 4D, 80]
.text ntoskrnl.exe!MmUnmapReservedMapping + 12B 8053AAA1 3 Bytes [83, 4D, 80]
.text ntoskrnl.exe!MmAdvanceMdl + 26 8053AAF9 3 Bytes [BC, 55, 80]
.text ntoskrnl.exe!MmAdvanceMdl + D4 8053ABA7 3 Bytes [7C, 56, 80]
.text ntoskrnl.exe!MmAdvanceMdl + 117 8053ABEA 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmAdvanceMdl + 157 8053AC2A 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmAdvanceMdl + 1A4 8053AC77 3 Bytes [A2, 55, 80]
.text ...
.text ntoskrnl.exe!MmProtectMdlSystemAddress + 14E 8053AE5D 3 Bytes [7A, 55, 80]
.text ntoskrnl.exe!MmProtectMdlSystemAddress + 1B5 8053AEC4 3 Bytes [83, 4D, 80]
.text ntoskrnl.exe!MmProtectMdlSystemAddress + 1CE 8053AEDD 3 Bytes [34, 56, 80]
.text ntoskrnl.exe!MmProtectMdlSystemAddress + 1D8 8053AEE7 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!MmProtectMdlSystemAddress + 1DE 8053AEED 3 Bytes [34, 56, 80]
.text ...
.text ntoskrnl.exe!MmGetVirtualForPhysical + 18 8053B0C0 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmGetVirtualForPhysical + 59 8053B101 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!MmMapMemoryDumpMdl + 15 8053B190 3 Bytes [7D, 55, 80]
.text ntoskrnl.exe!MmMapMemoryDumpMdl + 3A 8053B1B5 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!MmMapMemoryDumpMdl + 103 8053B27E 3 Bytes [7B, 55, 80]
.text ntoskrnl.exe!MmMapMemoryDumpMdl + 152 8053B2CD 3 Bytes [76, 56, 80]
.text ntoskrnl.exe!MmMapMemoryDumpMdl + 1CF 8053B34A 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!MmIsNonPagedSystemAddressValid + C 8053CF23 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!MmIsNonPagedSystemAddressValid + 14 8053CF2B 3 Bytes [31, 56, 80] {XOR [ESI-0x80], EDX}
.text ntoskrnl.exe!MmIsNonPagedSystemAddressValid + 33 8053CF4A 3 Bytes [79, 56, 80]
.text ntoskrnl.exe!MmIsNonPagedSystemAddressValid + 3B 8053CF52 3 Bytes [78, 56, 80]
.text ntoskrnl.exe!MmIsNonPagedSystemAddressValid + 83 8053CF9A 3 Bytes [33, 56, 80] {XOR EDX, [ESI-0x80]}
.text ...
.text ntoskrnl.exe!MmTrimAllSystemPagableMemory + 9 8053DB78 3 Bytes [33, 56, 80] {XOR EDX, [ESI-0x80]}
.text ntoskrnl.exe!MmTrimAllSystemPagableMemory + F 8053DB7E 3 Bytes [7C, 56, 80]
.text ntoskrnl.exe!MmTrimAllSystemPagableMemory + 1A 8053DB89 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!MmTrimAllSystemPagableMemory + 2C 8053DB9B 3 Bytes [7C, 55, 80]
.text ntoskrnl.exe!MmTrimAllSystemPagableMemory + 4F 8053DBBE 3 Bytes [79, 56, 80]
.text ...
.text ntoskrnl.exe!ZwGetWriteWatch + 7 8053F71E 3 Bytes [FB, 53, 80]
.text ntoskrnl.exe!ZwGetWriteWatch + 46 8053F75D 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!ZwGetWriteWatch + 71 8053F788 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!ZwGetWriteWatch + BE 8053F7D5 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!ZwGetWriteWatch + 130 8053F847 3 Bytes [97, 56, 80]
.text ...
.text ntoskrnl.exe!ZwResetWriteWatch + A 8053FB9C 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!ZwResetWriteWatch + 68 8053FBFA 3 Bytes [97, 56, 80]
.text ntoskrnl.exe!ZwResetWriteWatch + BE 8053FC50 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ZwResetWriteWatch + 103 8053FC95 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ZwResetWriteWatch + 194 8053FD26 3 Bytes [7E, 56, 80]
.text ...
.text ntoskrnl.exe!ObDereferenceObject + 26 8054106F 3 Bytes [BD, 55, 80]
.text ntoskrnl.exe!ObDereferenceObject + 33 8054107C 3 Bytes [BD, 55, 80]
.text ntoskrnl.exe!ObDereferenceObject + 89 805410D2 3 Bytes [7D, 55, 80]
.text ntoskrnl.exe!ObIsDosDeviceLocallyMapped + 16 805410F7 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
.text ntoskrnl.exe!ObIsDosDeviceLocallyMapped + 1E 805410FF 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ObIsDosDeviceLocallyMapped + 25 80541106 3 Bytes [7F, 56, 80]
.text ntoskrnl.exe!ObIsDosDeviceLocallyMapped + 36 80541117 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PoCancelDeviceNotify + C 8054116C 3 Bytes [91, 56, 80]
.text ntoskrnl.exe!PoCancelDeviceNotify + 17 80541177 3 Bytes [91, 56, 80]
.text ntoskrnl.exe!PoCancelDeviceNotify + 1F 8054117F 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PoCancelDeviceNotify + 6E 805411CE 3 Bytes [8E, 56, 80] {MOV SS, [ESI-0x80]}
.text ntoskrnl.exe!PoCancelDeviceNotify + 80 805411E0 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!PoRegisterDeviceNotify + 46 805416A1 3 Bytes [91, 56, 80]
.text ntoskrnl.exe!PoRegisterDeviceNotify + 2BD 80541918 3 Bytes CALL 0BD46FAD
.text ntoskrnl.exe!PoRegisterDeviceNotify + 2C5 80541920 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PoRegisterDeviceNotify + 2DB 80541936 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!PoRegisterDeviceNotify + 2F8 80541953 3 Bytes [C4, 55, 80] {LES EDX, DWORD [EBP-0x80]}
.text ...
.text ntoskrnl.exe!PsGetVersion + F 80542B81 3 Bytes [08, 56, 80] {OR [ESI-0x80], DL}
.text ntoskrnl.exe!PsGetVersion + 1E 80542B90 3 Bytes [07, 56, 80]
.text ntoskrnl.exe!PsGetVersion + 2D 80542B9F 3 Bytes CALL 01D480D4
.text ntoskrnl.exe!PsGetVersion + 42 80542BB4 3 Bytes [07, 56, 80]
.text ntoskrnl.exe!PsGetVersion + 4A 80542BBC 3 Bytes [07, 56, 80]
.text ...
.text ntoskrnl.exe!DbgPrintReturnControlC + D 80542DD5 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!DbgPrintEx + 14 80542ECD 3 Bytes [2E, 54, 80]
.text ntoskrnl.exe!vDbgPrintEx + 13 80542EF6 3 Bytes [2F, 54, 80]
.text ntoskrnl.exe!RtlFindSetBits + 29 80543048 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!RtlFindSetBits + B1 805430D0 3 Bytes [A9, 4E, 80]
.text ntoskrnl.exe!RtlFindSetBits + D4 805430F3 3 Bytes [02, 4F, 80] {ADD CL, [EDI-0x80]}
.text ntoskrnl.exe!RtlFindSetBits + E2 80543101 3 Bytes [01, 4F, 80] {ADD [EDI-0x80], ECX}
.text ntoskrnl.exe!RtlFindSetBits + 103 80543122 3 Bytes [05, 4F, 80]
.text ...
.text ntoskrnl.exe!RtlFindMostSignificantBit + 9B 805433E3 3 Bytes [02, 4F, 80] {ADD CL, [EDI-0x80]}
.text ntoskrnl.exe!RtlFindFirstRunClear + 28 80543469 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!RtlFindFirstRunClear + 59 8054349A 3 Bytes [35, 54, 80]
.text ntoskrnl.exe!RtlFindFirstRunClear + 60 805434A1 3 Bytes [35, 54, 80]
.text ntoskrnl.exe!RtlFindFirstRunClear + 65 805434A6 3 Bytes [35, 54, 80]
.text ntoskrnl.exe!RtlFindFirstRunClear + 6C 805434AD 3 Bytes [35, 54, 80]
.text ...
.text ntoskrnl.exe!RtlCaptureStackBackTrace + A4 80543741 3 Bytes [37, 54, 80]
.text ntoskrnl.exe!RtlCaptureStackBackTrace + D9 80543776 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!RtlEnumerateGenericTableLikeADirectory + 2F 80543BDA 3 Bytes [1F, 53, 80]
.text ntoskrnl.exe!RtlEnumerateGenericTableLikeADirectory + F1 80543C9C 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!RtlEnumerateGenericTableLikeADirectory + 106 80543CB1 3 Bytes [3D, 54, 80]
.text ntoskrnl.exe!RtlEnumerateGenericTableLikeADirectory + 117 80543CC2 3 Bytes [3D, 54, 80]
.text ntoskrnl.exe!RtlEnumerateGenericTableLikeADirectory + 219 80543DC4 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!RtlIpv6AddressToStringA + 65 80543E7E 3 Bytes [3F, 54, 80]
.text ntoskrnl.exe!RtlIpv6AddressToStringA + 6C 80543E85 3 Bytes [3F, 54, 80]
.text ntoskrnl.exe!RtlIpv6AddressToStringA + 86 80543E9F 3 Bytes [3F, 54, 80]
.text ntoskrnl.exe!RtlIpv6AddressToStringA + B8 80543ED1 3 Bytes [40, 54, 80]
.text ntoskrnl.exe!RtlIpv6AddressToStringA + 152 80543F6B 3 Bytes [40, 54, 80]
.text ...
.text ntoskrnl.exe!RtlIpv6AddressToStringExA + A 80544052 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!RtlIpv6AddressToStringExA + 40 80544088 3 Bytes [41, 54, 80]
.text ntoskrnl.exe!RtlIpv6AddressToStringExA + 63 805440AB 3 Bytes [41, 54, 80]
.text ntoskrnl.exe!RtlIpv6AddressToStringExA + 86 805440CE 3 Bytes [41, 54, 80]
.text ntoskrnl.exe!RtlIpv4AddressToStringA + 21 8054414E 3 Bytes [41, 54, 80]
.text ntoskrnl.exe!RtlIpv4AddressToStringExA + A 80544185 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!RtlIpv4AddressToStringExA + 49 805441C4 3 Bytes [42, 54, 80]
.text ntoskrnl.exe!RtlIpv6AddressToStringW + 65 80544287 3 Bytes [43, 54, 80]
.text ntoskrnl.exe!RtlIpv6AddressToStringW + 6C 8054428E 3 Bytes [43, 54, 80]
.text ntoskrnl.exe!RtlIpv6AddressToStringW + 89 805442AB 3 Bytes [44, 54, 80]
.text ntoskrnl.exe!RtlIpv6AddressToStringW + BC 805442DE 3 Bytes [44, 54, 80]
.text ntoskrnl.exe!RtlIpv6AddressToStringW + 154 80544376 3 Bytes [44, 54, 80]
.text ...
.text ntoskrnl.exe!RtlIpv6AddressToStringExW + D 8054449A 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!RtlIpv6AddressToStringExW + 46 805444D3 3 Bytes [45, 54, 80]
.text ntoskrnl.exe!RtlIpv6AddressToStringExW + 6C 805444F9 3 Bytes [45, 54, 80]
.text ntoskrnl.exe!RtlIpv6AddressToStringExW + 90 8054451D 3 Bytes [45, 54, 80]
.text ntoskrnl.exe!RtlIpv4AddressToStringW + 25 805445A7 3 Bytes [45, 54, 80]
.text ntoskrnl.exe!RtlIpv4AddressToStringExW + A 805445EA 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!RtlIpv4AddressToStringExW + 49 80544629 3 Bytes [46, 54, 80]
.text ntoskrnl.exe!RtlRandomEx + 7 80545736 3 Bytes [A9, 69, 80]
.text ntoskrnl.exe!RtlRandomEx + 12 80545741 3 Bytes [A9, 69, 80]
.text ntoskrnl.exe!RtlRandomEx + 1D 8054574C 3 Bytes [A9, 69, 80]
.text ntoskrnl.exe!RtlTimeToSecondsSince1980 + D 805457AE 3 Bytes [E7, 52, 80]
.text ntoskrnl.exe!RtlTimeToSecondsSince1980 + 13 805457B4 3 Bytes [E7, 52, 80]
.text ntoskrnl.exe!RtlTimeToSecondsSince1980 + 23 805457C4 3 Bytes [E7, 52, 80]
.text ntoskrnl.exe!RtlTimeToSecondsSince1980 + 2B 805457CC 3 Bytes [E7, 52, 80]
.text ntoskrnl.exe!RtlSecondsSince1980ToTime + 8 805457F4 3 Bytes [E7, 52, 80]
.text ntoskrnl.exe!RtlSecondsSince1980ToTime + 15 80545801 3 Bytes [E7, 52, 80]
.text ntoskrnl.exe!RtlTimeToSecondsSince1970 + D 80545838 3 Bytes [E7, 52, 80]
.text ntoskrnl.exe!RtlTimeToSecondsSince1970 + 13 8054583E 3 Bytes [E7, 52, 80]
.text ntoskrnl.exe!RtlTimeToSecondsSince1970 + 23 8054584E 3 Bytes [0E, 50, 80]
.text ntoskrnl.exe!RtlTimeToSecondsSince1970 + 2B 80545856 3 Bytes [0E, 50, 80]
.text ntoskrnl.exe!RtlTimeToSecondsSince1970 + 1C0 805459EB 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!RtlTraceDatabaseCreate + 92 80545B6C 3 Bytes [59, 54, 80]
.text ntoskrnl.exe!RtlTraceDatabaseDestroy + 34 80545BFF 3 Bytes [5C, 54, 80]
.text ntoskrnl.exe!RtlTraceDatabaseFind + FC 80545DAF 3 Bytes [5E, 54, 80]
.text ntoskrnl.exe!RtlTraceDatabaseAdd + 72 80545F29 3 Bytes [98, 56, 80]
.text ntoskrnl.exe!RtlTraceDatabaseAdd + 7A 80545F31 3 Bytes [98, 56, 80]
.text ntoskrnl.exe!RtlTraceDatabaseAdd + 99 80545F50 3 Bytes [98, 56, 80]
.text ntoskrnl.exe!RtlTraceDatabaseAdd + A9 80545F60 3 Bytes [98, 56, 80]
.text ntoskrnl.exe!RtlTraceDatabaseAdd + B8 80545F6F 3 Bytes [98, 56, 80]
.text ...
.text ntoskrnl.exe!VfFailDriver + 9 80547820 3 Bytes [CD, 55, 80]
.text ntoskrnl.exe!VfFailDriver + 7F 80547896 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!VfFailDriver + A6 805478BD 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!VfFailDriver + CB 805478E2 3 Bytes [CD, 55, 80]
.text ntoskrnl.exe!VfFailDriver + D3 805478EA 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!WmiGetClock + 90 805490F4 3 Bytes [80, 4D, 80]
.text ntoskrnl.exe!WmiGetClock + 9F 80549103 3 Bytes [81, 55, 80]
.text ntoskrnl.exe!WmiGetClock + C6 8054912A 3 Bytes [95, 54, 80]
.text ntoskrnl.exe!WmiGetClock + 105 80549169 3 Bytes [7E, 56, 80]
.text ntoskrnl.exe!WmiGetClock + 181 805491E5 3 Bytes [A0, 56, 80]
.text ...
.text ntoskrnl.exe!WmiTraceMessageVa + 4 8054969F 3 Bytes [99, 54, 80]
.text ntoskrnl.exe!WmiTraceMessageVa + 40 805496DB 3 Bytes [A0, 56, 80]
.text ntoskrnl.exe!WmiTraceMessageVa + C1 8054975C 3 Bytes [A1, 56, 80]
.text ntoskrnl.exe!WmiTraceMessageVa + D2 8054976D 3 Bytes [A1, 56, 80]
.text ntoskrnl.exe!WmiTraceMessageVa + E6 80549781 3 Bytes [A0, 56, 80]
.text ...
.text ntoskrnl.exe!NtTraceEvent + 4 805499A4 3 Bytes [9B, 54, 80]
.text ntoskrnl.exe!NtTraceEvent + 58 805499F8 3 Bytes [A0, 56, 80]
.text ntoskrnl.exe!NtTraceEvent + 65 80549A05 3 Bytes [A1, 56, 80]
.text ntoskrnl.exe!NtTraceEvent + 6F 80549A0F 3 Bytes [A1, 56, 80]
.text ntoskrnl.exe!NtTraceEvent + B5 80549A55 3 Bytes [A0, 56, 80]
.text ...
.text ntoskrnl.exe!IoWMIDeviceObjectToInstanceName + 38 80549B63 3 Bytes [9E, 56, 80]
.text ntoskrnl.exe!ExGetSharedWaiterCount + 40 80549D55 3 Bytes [BA, 55, 80]
.text ntoskrnl.exe!ExGetSharedWaiterCount + 49 80549D5E 3 Bytes [82, 55, 80]
.text ntoskrnl.exe!ExGetSharedWaiterCount + 5B 80549D70 3 Bytes [93, 55, 80]
.text ntoskrnl.exe!ExGetSharedWaiterCount + 63 80549D78 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExGetSharedWaiterCount + 69 80549D7E 3 Bytes [BB, 56, 80]
.text ...
.text ntoskrnl.exe!ExQueryPoolBlockSize + 8 8054A08F 3 Bytes [F0, 55, 80]
.text ntoskrnl.exe!ExQueryPoolBlockSize + 51 8054A0D8 3 Bytes [BB, 56, 80]
.text ntoskrnl.exe!ExQueryPoolBlockSize + 9C 8054A123 3 Bytes [BA, 56, 80]
.text ntoskrnl.exe!ExQueryPoolBlockSize + A3 8054A12A 3 Bytes [AA, 56, 80]
.text ntoskrnl.exe!ExQueryPoolBlockSize + AB 8054A132 3 Bytes [81, 4D, 80]
.text ...
.text ntoskrnl.exe!ExUnregisterCallback + 12 8054A97C 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExUnregisterCallback + 23 8054A98D 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExUnregisterCallback + 32 8054A99C 3 Bytes [AA, 56, 80]
.text ntoskrnl.exe!ExUnregisterCallback + 40 8054A9AA 3 Bytes [AA, 56, 80]
.text ntoskrnl.exe!ExDeleteNPagedLookasideList + 9 8054AA0C 3 Bytes CALL D7D500BA
.text ntoskrnl.exe!ExDeleteNPagedLookasideList + 12 8054AA15 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExDeleteNPagedLookasideList + 2A 8054AA2D 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExDeleteNPagedLookasideList + 31 8054AA34 3 Bytes [1F, 53, 80]
.text ntoskrnl.exe!ExDeletePagedLookasideList + 9 8054AA61 3 Bytes [A9, 56, 80]
.text ntoskrnl.exe!ExDeletePagedLookasideList + 12 8054AA6A 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExDeletePagedLookasideList + 2A 8054AA82 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExDeletePagedLookasideList + 31 8054AA89 3 Bytes [1F, 53, 80]
.text ntoskrnl.exe!ExInterlockedExtendZone + D 8054AACC 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExInterlockedExtendZone + 2A 8054AAE9 3 Bytes [81, 4D, 80]
.text ntoskrnl.exe!ExInterlockedExtendZone + 57 8054AB16 3 Bytes [AC, 54, 80]
.text ntoskrnl.exe!ExInterlockedExtendZone + 172 8054AC31 3 Bytes [AC, 54, 80]
.text ntoskrnl.exe!ExInterlockedExtendZone + 18D 8054AC4C 3 Bytes [BB, 56, 80]
.text ...
.text ntoskrnl.exe!ExGetCurrentProcessorCounts + 62 8054AE0B 3 Bytes [A6, 56, 80]
.text ntoskrnl.exe!ExGetCurrentProcessorCounts + 73 8054AE1C 3 Bytes [A7, 56, 80]
.text ntoskrnl.exe!ExGetCurrentProcessorCounts + 8E 8054AE37 3 Bytes [A6, 56, 80]
.text ntoskrnl.exe!ExGetCurrentProcessorCounts + 9F 8054AE48 3 Bytes [A7, 56, 80]
.text ntoskrnl.exe!ExGetCurrentProcessorCounts + DB 8054AE84 3 Bytes [80, 4D, 80]
.text ...
.text ntoskrnl.exe!XIPDispatch + 9 8054AF60 3 Bytes [A4, 56, 80]
.text ntoskrnl.exe!_wcsrev + 6B 8054B39D 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!_wcsrev + 83 8054B3B5 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!_wcsrev + 114 8054B446 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!_wcsrev + 131 8054B463 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!islower + 8 8054B489 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!islower + 22 8054B4A3 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!isxdigit + 8 8054B4C7 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!isxdigit + 25 8054B4E4 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!isprint + 8 8054B50A 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!isprint + 25 8054B527 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!mbstowcs + 3F 8054B59B 3 Bytes [BB, 56, 80]
.text ntoskrnl.exe!srand + A 8054B63B 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!rand + 2 8054B64C 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!rand + 12 8054B65C 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!rand + 1A 8054B664 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!wcstombs + 9 8054B84D 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!wcstombs + 67 8054B8AB 3 Bytes [BB, 56, 80]
.text ntoskrnl.exe!wcstombs + 26C 8054BAB0 3 Bytes [BB, 56, 80]
.text ntoskrnl.exe!wcstombs + 372 8054BBB6 3 Bytes [A3, 55, 80]
.text ntoskrnl.exe!wcstombs + 3DF 8054BC23 3 Bytes [A3, 55, 80]
.text ...
PAGE ntoskrnl.exe!ExWindowStationObjectType + 185D 8056C21D 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!SeUnlockSubjectContext + 24 8056C3F5 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!NlsLeadByteInfo + 1 8056C4BD 3 Bytes [A2, 69, 80]
PAGE ntoskrnl.exe!NlsOemLeadByteInfo + 1 8056C4C1 3 Bytes [A5, 69, 80]
PAGE ntoskrnl.exe!ObReferenceObjectByHandle + 61 8056C5BA 3 Bytes [07, 56, 80]
PAGE ntoskrnl.exe!ObReferenceObjectByHandle + 6E 8056C5C7 3 Bytes [7D, 55, 80]
PAGE ntoskrnl.exe!ObReferenceObjectByHandle + AF 8056C608 3 Bytes [BD, 55, 80]
PAGE ntoskrnl.exe!RtlEqualUnicodeString + 3C 8056C6C0 3 Bytes CALL E6D73067
PAGE ntoskrnl.exe!RtlEqualUnicodeString + 7A 8056C6FE 3 Bytes [7F, 56, 80]
PAGE ntoskrnl.exe!SeDeleteAccessState + A4 8056CB6C 3 Bytes [83, 4D, 80]
PAGE ntoskrnl.exe!SeDeleteAccessState + D2 8056CB9A 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!SeDeleteAccessState + 17C 8056CC44 3 Bytes [83, 4D, 80]
PAGE ntoskrnl.exe!SeDeleteAccessState + 1B4 8056CC7C 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!SeDeleteAccessState + 27A 8056CD42 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ...
PAGE ntoskrnl.exe!ObCreateObject + B1 8056D5D6 3 Bytes [BD, 55, 80]
PAGE ntoskrnl.exe!ObCreateObject + 27D 8056D7A2 3 Bytes [83, 4D, 80]
PAGE ntoskrnl.exe!ObCreateObject + 390 8056D8B5 3 Bytes [D8, 56, 80] {FCOM DWORD [ESI-0x80]}
PAGE ntoskrnl.exe!NtCreateSection + 4 8056DB6A 3 Bytes [5B, 4E, 80]
PAGE ntoskrnl.exe!NtCreateSection + 74 8056DBDA 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtCreateSection + 94 8056DBFA 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ObCheckObjectAccess + 142 8056DEBA 3 Bytes [A5, 56, 80]
PAGE ntoskrnl.exe!ObCheckObjectAccess + 149 8056DEC1 3 Bytes [A5, 56, 80]
PAGE ntoskrnl.exe!ObCheckObjectAccess + 17C 8056DEF4 3 Bytes [A5, 56, 80]
PAGE ntoskrnl.exe!ObCheckObjectAccess + 197 8056DF0F 3 Bytes [A5, 56, 80]
PAGE ntoskrnl.exe!NtWaitForSingleObject + 4 8056DF66 3 Bytes [5E, 4E, 80]
PAGE ntoskrnl.exe!NtWaitForSingleObject + 2D 8056DF8F 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtWaitForSingleObject + 1FE 8056E160 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!NtWaitForSingleObject + 240 8056E1A2 3 Bytes [D7, 56, 80]
PAGE ntoskrnl.exe!NtWaitForSingleObject + 433 8056E395 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ...
PAGE ntoskrnl.exe!ProbeForWrite + 23 8056E8C2 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ProbeForWrite + 6C 8056E90B 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ProbeForWrite + 72 8056E911 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ProbeForWrite + 140 8056E9DF 3 Bytes [50, 4E, 80]
PAGE ntoskrnl.exe!ProbeForWrite + 215 8056EAB4 3 Bytes [83, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwDelayExecution + 4 8056EB07 3 Bytes [6B, 4E, 80]
PAGE ntoskrnl.exe!ZwDelayExecution + 35 8056EB38 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwReleaseMutant + 4 8056EB72 3 Bytes [6B, 4E, 80]
PAGE ntoskrnl.exe!ZwReleaseMutant + 34 8056EBA2 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwReleaseMutant + D3 8056EC41 3 Bytes [13, 55, 80] {ADC EDX, [EBP-0x80]}
PAGE ntoskrnl.exe!ZwWaitForMultipleObjects + 7 8056EC50 3 Bytes [6C, 4E, 80]
PAGE ntoskrnl.exe!ZwWaitForMultipleObjects + 49 8056EC92 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwWaitForMultipleObjects + F9 8056ED42 3 Bytes [07, 56, 80]
PAGE ntoskrnl.exe!ZwWaitForMultipleObjects + 106 8056ED4F 3 Bytes [7D, 55, 80]
PAGE ntoskrnl.exe!ZwWaitForMultipleObjects + 13C 8056ED85 3 Bytes [BD, 55, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeChar + B2 8056F062 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeChar + E2 8056F092 3 Bytes [BD, 55, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeChar + 10A 8056F0BA 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwQueryDefaultLocale + 4 8056F0D4 3 Bytes [74, 4E, 80]
PAGE ntoskrnl.exe!ZwQueryDefaultLocale + 2E 8056F0FE 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryDefaultLocale + 59 8056F129 3 Bytes [A2, 69, 80]
PAGE ntoskrnl.exe!KeUserModeCallback + 4 8056F137 3 Bytes [7A, 4E, 80]
PAGE ntoskrnl.exe!ExfAcquirePushLockShared + A6 8056F4B0 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ExfAcquirePushLockShared + AC 8056F4B6 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ExfAcquirePushLockShared + B1 8056F4BB 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ExfAcquirePushLockShared + B6 8056F4C0 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ExfAcquirePushLockShared + DB 8056F4E5 3 Bytes [96, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwRemoveIoCompletion + 4 8056F550 3 Bytes [86, 4E, 80] {XCHG [ESI-0x80], CL}
PAGE ntoskrnl.exe!ZwRemoveIoCompletion + 30 8056F57C 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwRemoveIoCompletion + 44 8056F590 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwRemoveIoCompletion + 59 8056F5A5 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwRemoveIoCompletion + 80 8056F5CC 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryPerformanceCounter + 4 8056F6A8 3 Bytes [A4, 4E, 80]
PAGE ntoskrnl.exe!ZwQueryPerformanceCounter + 2C 8056F6D0 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryPerformanceCounter + 57 8056F6FB 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryPerformanceCounter + 7B 8056F71F 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!NtClose + 54 8056FA9C 3 Bytes [7D, 55, 80]
PAGE ntoskrnl.exe!NtClose + 71 8056FAB9 3 Bytes [07, 56, 80]
PAGE ntoskrnl.exe!NtClose + 102 8056FB4A 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!NtClose + 10A 8056FB52 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!RtlCreateSecurityDescriptor + 83 8056FE3D 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!RtlCopySid + 38 8056FFD5 3 Bytes [7D, 55, 80]
PAGE ntoskrnl.exe!ExAcquireRundownProtection + 6D 80570137 3 Bytes [CE, 55, 80]
PAGE ntoskrnl.exe!ExAcquireRundownProtection + 82 8057014C 3 Bytes [81, 55, 80]
PAGE ntoskrnl.exe!ObOpenObjectByName + 1EB 80570469 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!ObOpenObjectByName + 1F3 80570471 3 Bytes [01, 56, 80] {ADD [ESI-0x80], EDX}
PAGE ntoskrnl.exe!ObOpenObjectByName + 20A 80570488 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!ObOpenObjectByName + 211 8057048F 3 Bytes [01, 56, 80] {ADD [ESI-0x80], EDX}
PAGE ntoskrnl.exe!ObOpenObjectByName + 245 805704C3 3 Bytes [01, 56, 80] {ADD [ESI-0x80], EDX}
PAGE ...
PAGE ntoskrnl.exe!RtlUpcaseUnicodeString + 103 80570708 3 Bytes [78, 55, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeString + 121 80570726 3 Bytes [31, 56, 80] {XOR [ESI-0x80], EDX}
PAGE ntoskrnl.exe!RtlUpcaseUnicodeString + 1B5 805707BA 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeString + 221 80570826 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeString + 242 80570847 3 Bytes [80, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!SeTokenType + 102 80570A5F 3 Bytes [7C, 55, 80]
PAGE ntoskrnl.exe!SeTokenType + 13E 80570A9B 3 Bytes [79, 55, 80]
PAGE ntoskrnl.exe!NtSetEvent + 4 80570AC4 3 Bytes [86, 4E, 80] {XCHG [ESI-0x80], CL}
PAGE ntoskrnl.exe!NtSetEvent + 31 80570AF1 3 Bytes [A9, 56, 80]
PAGE ntoskrnl.exe!NtSetEvent + 5E 80570B1E 3 Bytes [82, 55, 80]
PAGE ntoskrnl.exe!ZwClearEvent + 22 80570B71 3 Bytes [A9, 56, 80]
PAGE ntoskrnl.exe!RtlAddAtomToAtomTable + 4 80570C92 3 Bytes [81, 4E, 80]
PAGE ntoskrnl.exe!RtlAddAtomToAtomTable + 168 80570DF6 3 Bytes [7C, 56, 80]
PAGE ntoskrnl.exe!RtlAddAtomToAtomTable + 1B4 80570E42 3 Bytes [BC, 55, 80]
PAGE ntoskrnl.exe!RtlAddAtomToAtomTable + 1BD 80570E4B 3 Bytes [7C, 56, 80]
PAGE ntoskrnl.exe!RtlAddAtomToAtomTable + 1F6 80570E84 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!NtAllocateVirtualMemory + 7 80570EE4 3 Bytes [A2, 4E, 80]
PAGE ntoskrnl.exe!NtAllocateVirtualMemory + A4 80570F81 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtAllocateVirtualMemory + B9 80570F96 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtAllocateVirtualMemory + D8 80570FB5 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtAllocateVirtualMemory + 164 80571041 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!NtFreeVirtualMemory + 4 805713DB 3 Bytes [AB, 4E, 80]
PAGE ntoskrnl.exe!NtFreeVirtualMemory + 58 8057142F 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtFreeVirtualMemory + 6D 80571444 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtFreeVirtualMemory + 8D 80571464 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtFreeVirtualMemory + D6 805714AD 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!MmSecureVirtualMemory + 46 80571F48 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!MmSecureVirtualMemory + 9E 80571FA0 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!PsSetProcessPriorityByClass + 1A 80571FC9 3 Bytes [20, 57, 80] {AND [EDI-0x80], DL}
PAGE ntoskrnl.exe!PsSetProcessPriorityByClass + 3D 80571FEC 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsSetProcessPriorityByClass + 8A 80572039 3 Bytes [33, 56, 80] {XOR EDX, [ESI-0x80]}
PAGE ntoskrnl.exe!PsSetProcessPriorityByClass + 9D 8057204C 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!RtlMultiByteToUnicodeN + 10 8057206D 3 Bytes [A5, 69, 80]
PAGE ntoskrnl.exe!RtlMultiByteToUnicodeN + 31 8057208E 3 Bytes [A4, 69, 80]
PAGE ntoskrnl.exe!RtlMultiByteToUnicodeN + 52 805720AF 3 Bytes [21, 57, 80] {AND [EDI-0x80], EDX}
PAGE ntoskrnl.exe!RtlMultiByteToUnicodeN + 7C 805720D9 3 Bytes [A4, 69, 80]
PAGE ntoskrnl.exe!RtlMultiByteToUnicodeN + 96 805720F3 3 Bytes [A2, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlQueryAtomInAtomTable + 4 805721DF 3 Bytes [A1, 4E, 80]
PAGE ntoskrnl.exe!RtlQueryAtomInAtomTable + E 805721E9 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlQueryAtomInAtomTable + 125 80572300 3 Bytes [25, 56, 80]
PAGE ntoskrnl.exe!CcPreparePinWrite + 4 805725E1 3 Bytes [FB, 4E, 80]
PAGE ntoskrnl.exe!CcPreparePinWrite + CB 805726A8 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
PAGE ntoskrnl.exe!CcPreparePinWrite + CF 805726AC 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!CcUnpinDataForThread + 95 8057277D 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!CcUnpinDataForThread + A1 80572789 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!CcUnpinDataForThread + 264 8057294C 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!CcUnpinDataForThread + 2DF 805729C7 3 Bytes [B4, 69, 80]
PAGE ntoskrnl.exe!CcUnpinDataForThread + 2E4 805729CC 3 Bytes [B4, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwOpenKey + 7 80572BFB 3 Bytes [81, 4E, 80]
PAGE ntoskrnl.exe!ZwOpenKey + 2B 80572C1F 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwOpenKey + 3B 80572C2F 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwOpenKey + 64 80572C58 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwOpenKey + 7D 80572C71 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryValueKey + 4 8057303B 3 Bytes [A5, 4E, 80]
PAGE ntoskrnl.exe!ZwQueryValueKey + 22 80573059 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwQueryValueKey + 66 8057309D 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwQueryValueKey + 89 805730C0 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwQueryValueKey + A7 805730DE 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!SeQuerySecurityDescriptorInfo + 4 805735D6 3 Bytes [A5, 4E, 80]
PAGE ntoskrnl.exe!SeQuerySecurityDescriptorInfo + 350 80573922 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!SeQuerySecurityDescriptorInfo + 3BE 80573990 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!SeQuerySecurityDescriptorInfo + 3C7 80573999 3 Bytes [7F, 56, 80]
PAGE ntoskrnl.exe!SeQuerySecurityDescriptorInfo + 3D9 805739AB 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ...
PAGE ntoskrnl.exe!SeCaptureSubjectContext + 77 80573C27 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtOpenThreadTokenEx + 4 80573CC4 3 Bytes [A5, 4E, 80]
PAGE ntoskrnl.exe!NtOpenThreadTokenEx + 42 80573D02 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtOpenThreadTokenEx + B3 80573D73 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!NtQueryInformationProcess + 7 80573EAE 3 Bytes [1B, 4F, 80] {SBB ECX, [EDI-0x80]}
PAGE ntoskrnl.exe!NtQueryInformationProcess + 88 80573F2F 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!RtlCompareUnicodeString + 3D 80573FB5 3 Bytes CALL E6D7A95C
PAGE ntoskrnl.exe!RtlValidSid + 4 8057478C 3 Bytes [88, 4E, 80] {MOV [ESI-0x80], CL}
PAGE ntoskrnl.exe!ObLogSecurityDescriptor + 2A 805749DF 3 Bytes [7F, 56, 80]
PAGE ntoskrnl.exe!ObAssignSecurity + 14 80574B98 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!ObAssignSecurity + 13B 80574CBF 3 Bytes [C4, 4E, 80] {LES ECX, DWORD [ESI-0x80]}
PAGE ntoskrnl.exe!ObAssignSecurity + 167 80574CEB 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!ObAssignSecurity + 1A9 80574D2D 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ObAssignSecurity + 22F 80574DB3 3 Bytes [BA, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!ExWaitForRundownProtectionRelease + 4B 80575030 3 Bytes [2E, 56, 80]
PAGE ntoskrnl.exe!ExWaitForRundownProtectionRelease + 53 80575038 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ExWaitForRundownProtectionRelease + 61 80575046 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!ExWaitForRundownProtectionRelease + 91 80575076 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!ExWaitForRundownProtectionRelease + 9A 8057507F 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!PsCreateSystemThread + 12 805756C5 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsCreateSystemThread + 40 805756F3 3 Bytes [C5, 4E, 80] {LDS ECX, DWORD [ESI-0x80]}
PAGE ntoskrnl.exe!PsCreateSystemThread + 52 80575705 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 4 80575740 3 Bytes [91, 4E, 80]
PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 48 80575784 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 6C 805757A8 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + E9 80575825 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 137 80575873 3 Bytes [2E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!NtQueryInformationThread + 7 80575C4C 3 Bytes [94, 4E, 80]
PAGE ntoskrnl.exe!NtQueryInformationThread + 84 80575CC9 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!NtQueryInformationThread + 9C 80575CE1 3 Bytes [A0, 55, 80]

#5 Liamsdarlin

Liamsdarlin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 02 January 2010 - 04:32 AM

PAGE ntoskrnl.exe!NtQueryInformationThread + 15E 80575DA3 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!NtQueryInformationThread + 1B2 80575DF7 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ObCloseHandle + 3D 80575ED5 3 Bytes [A2, 69, 80]
PAGE ntoskrnl.exe!ObCloseHandle + 47 80575EDF 3 Bytes [A2, 69, 80]
PAGE ntoskrnl.exe!IoSetIoCompletion + 4 80575F30 3 Bytes [86, 4E, 80] {XCHG [ESI-0x80], CL}
PAGE ntoskrnl.exe!ZwSetIoCompletion + 22 80575FC0 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!NtQueryInformationToken + 7 805760F5 3 Bytes [18, 4F, 80] {SBB [EDI-0x80], CL}
PAGE ntoskrnl.exe!NtQueryInformationToken + 3D 8057612B 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtQueryInformationToken + 63 80576151 3 Bytes [70, 57, 80]
PAGE ntoskrnl.exe!NtQueryInformationToken + 72 80576160 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!NtQueryInformationToken + 15B 80576249 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!ObOpenObjectByPointer + DB 80577223 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!NtOpenProcessTokenEx + 4 8057725B 3 Bytes [A5, 4E, 80]
PAGE ntoskrnl.exe!NtOpenProcessTokenEx + 3A 80577291 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtOpenProcessTokenEx + 6A 805772C1 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!NtOpenProcessToken + 242 80577542 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!NtOpenProcessToken + 2B1 805775B1 3 Bytes CALL 68D7C45B
PAGE ntoskrnl.exe!NtOpenProcessToken + 2BC 805775BC 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!NtOpenProcessToken + 567 80577867 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!NtOpenProcessToken + 5E3 805778E3 3 Bytes CALL D6D7E28A
PAGE ntoskrnl.exe!ZwCreateKey + 7 80577924 3 Bytes [19, 4F, 80] {SBB [EDI-0x80], ECX}
PAGE ntoskrnl.exe!ZwCreateKey + 26 80577943 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwCreateKey + 36 80577953 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwCreateKey + 66 80577983 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateKey + A5 805779C2 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!SeFreePrivileges + B0 80577C80 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!SeFreePrivileges + C3 80577C93 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!SeFreePrivileges + 2B7 80577E87 3 Bytes [88, 57, 80] {MOV [EDI-0x80], DL}
PAGE ntoskrnl.exe!SeFreePrivileges + 359 80577F29 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!SeFreePrivileges + 442 80578012 3 Bytes [97, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryKey + 4 80578A18 3 Bytes [19, 4F, 80] {SBB [EDI-0x80], ECX}
PAGE ntoskrnl.exe!ZwQueryKey + 14 80578A28 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwQueryKey + 5D 80578A71 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwQueryKey + 87 80578A9B 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwQueryKey + B9 80578ACD 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwEnumerateKey + 4 80578E18 3 Bytes [1A, 4F, 80] {SBB CL, [EDI-0x80]}
PAGE ntoskrnl.exe!ZwEnumerateKey + 14 80578E28 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwEnumerateKey + 40 80578E54 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwEnumerateKey + 5A 80578E6E 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwEnumerateKey + 85 80578E99 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!NtSetInformationThread + 7 80578FA6 3 Bytes [3C, 4F, 80]
PAGE ntoskrnl.exe!NtSetInformationThread + 6D 8057900C 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtSetInformationThread + D6 80579075 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!NtSetInformationThread + 1BD 8057915C 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!RtlLengthRequiredSid + 16 80579244 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!RtlLengthRequiredSid + 1F 8057924D 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!PsLookupProcessThreadByCid + 21 80579367 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsLookupProcessThreadByCid + 44 8057938A 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsLookupProcessThreadByCid + CE 80579414 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!PsLookupProcessThreadByCid + D9 8057941F 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!NtRequestWaitReplyPort + 4 80579489 3 Bytes [16, 4F, 80]
PAGE ntoskrnl.exe!NtRequestWaitReplyPort + 50 805794D5 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtRequestWaitReplyPort + FB 80579580 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!NtRequestWaitReplyPort + 139 805795BE 3 Bytes [BB, 55, 80]
PAGE ntoskrnl.exe!NtRequestWaitReplyPort + 1AF 80579634 3 Bytes [2E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!PsAssignImpersonationToken + 4 80579836 3 Bytes [3D, 4F, 80]
PAGE ntoskrnl.exe!PsImpersonateClient + 133 80579A92 3 Bytes [AF, 69, 80]
PAGE ntoskrnl.exe!PsImpersonateClient + 14F 80579AAE 3 Bytes [CC, 55, 80]
PAGE ntoskrnl.exe!PsImpersonateClient + 22B 80579B8A 3 Bytes [AF, 69, 80]
PAGE ntoskrnl.exe!PsImpersonateClient + 24C 80579BAB 3 Bytes [CC, 55, 80]
PAGE ntoskrnl.exe!PsImpersonateClient + 332 80579C91 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!SeTokenImpersonationLevel + 26 80579EEC 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!SeTokenImpersonationLevel + 8F 80579F55 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!SeTokenImpersonationLevel + B9 80579F7F 3 Bytes [3E, 4F, 80]
PAGE ntoskrnl.exe!SeCaptureSecurityDescriptor + 7 8057A071 3 Bytes [3E, 4F, 80]
PAGE ntoskrnl.exe!SeCaptureSecurityDescriptor + 44 8057A0AE 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!SeCaptureSecurityDescriptor + 252 8057A2BC 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!SeCaptureSecurityDescriptor + 27F 8057A2E9 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!SeCaptureSecurityDescriptor + 4FC 8057A566 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ...
PAGE ntoskrnl.exe!RtlAnsiCharToUnicodeChar + 9 8057A6AF 3 Bytes [C4, 56, 80] {LES EDX, DWORD [ESI-0x80]}
PAGE ntoskrnl.exe!RtlAnsiCharToUnicodeChar + D1 8057A777 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!RtlAnsiCharToUnicodeChar + 104 8057A7AA 3 Bytes [7C, 56, 80]
PAGE ntoskrnl.exe!RtlAnsiCharToUnicodeChar + 110 8057A7B6 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!ZwOpenSection + 4 8057A8B1 3 Bytes [43, 4F, 80]
PAGE ntoskrnl.exe!ZwOpenSection + 2D 8057A8DA 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwOpenSection + 4F 8057A8FC 3 Bytes [7C, 56, 80]
PAGE ntoskrnl.exe!ZwOpenSection + 9C 8057A949 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwCreateSemaphore + 4 8057A9E0 3 Bytes [43, 4F, 80]
PAGE ntoskrnl.exe!ZwCreateSemaphore + 2D 8057AA09 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateSemaphore + 67 8057AA43 3 Bytes [A5, 56, 80]
PAGE ntoskrnl.exe!ZwCreateSemaphore + 2B5 8057AC91 3 Bytes [79, 55, 80]
PAGE ntoskrnl.exe!ZwCreateSemaphore + 3AE 8057AD8A 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlFreeAnsiString + 14 8057AECE 3 Bytes [EC, 56, 80]
PAGE ntoskrnl.exe!CcSetLogHandleForFile + 124 8057B128 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!CcSetLogHandleForFile + 144 8057B148 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!CcSetLogHandleForFile + 1A5 8057B1A9 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!CcSetLogHandleForFile + 1BC 8057B1C0 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!CcSetLogHandleForFile + 2F9 8057B2FD 3 Bytes [80, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!FsRtlTeardownPerStreamContexts + 4 8057B44D 3 Bytes [34, 4F, 80]
PAGE ntoskrnl.exe!FsRtlTeardownPerStreamContexts + 15 8057B45E 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlTeardownPerStreamContexts + 4F 8057B498 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlTeardownPerStreamContexts + 5F 8057B4A8 3 Bytes [F0, 55, 80]
PAGE ntoskrnl.exe!ZwSetEventBoostPriority + 22 8057B5D8 3 Bytes [A9, 56, 80]
PAGE ntoskrnl.exe!MmUnmapViewOfSection + 3E 8057B6B8 3 Bytes [2D, 4F, 80]
PAGE ntoskrnl.exe!MmUnmapViewOfSection + BE 8057B738 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!MmUnmapViewOfSection + CD 8057B747 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!MmUnmapViewOfSection + DF 8057B759 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!MmUnmapViewOfSection + 17B 8057B7F5 3 Bytes [0E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!IoGetFileObjectGenericMapping + 2 8057BDBC 3 Bytes [BD, 57, 80]
PAGE ntoskrnl.exe!FsRtlCurrentBatchOplock + C8 8057BF1D 3 Bytes [D8, 56, 80] {FCOM DWORD [ESI-0x80]}
PAGE ntoskrnl.exe!FsRtlCurrentBatchOplock + F8 8057BF4D 3 Bytes [D8, 56, 80] {FCOM DWORD [ESI-0x80]}
PAGE ntoskrnl.exe!FsRtlCurrentBatchOplock + 122 8057BF77 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!FsRtlCurrentBatchOplock + 12D 8057BF82 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlCurrentBatchOplock + 145 8057BF9A 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + D6 8057C080 3 Bytes [2E, 4F, 80]
PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + 1B2 8057C15C 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + 1C5 8057C16F 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!IoCreateFile + 12 8057C2D8 3 Bytes [F0, 55, 80]
PAGE ntoskrnl.exe!NtOpenFile + 120 8057C5BC 3 Bytes [AB, 69, 80]
PAGE ntoskrnl.exe!NtOpenFile + 150 8057C5EC 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!ZwQueryAttributesFile + 7 8057C6D2 3 Bytes [2F, 4F, 80]
PAGE ntoskrnl.exe!ZwQueryAttributesFile + 11 8057C6DC 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!ZwQueryAttributesFile + 3F 8057C70A 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtQueryVolumeInformationFile + 4 8057C7EB 3 Bytes [2F, 4F, 80]
PAGE ntoskrnl.exe!NtQueryVolumeInformationFile + 3A 8057C821 3 Bytes [C9, 57, 80]
PAGE ntoskrnl.exe!NtQueryVolumeInformationFile + 56 8057C83D 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtQueryVolumeInformationFile + 83 8057C86A 3 Bytes [C9, 57, 80]
PAGE ntoskrnl.exe!NtQueryVolumeInformationFile + 91 8057C878 3 Bytes [0D, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!NtCreateEvent + 4 8057CD29 3 Bytes [93, 4E, 80]
PAGE ntoskrnl.exe!NtCreateEvent + 2D 8057CD52 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtCreateEvent + 61 8057CD86 3 Bytes [A9, 56, 80]
PAGE ntoskrnl.exe!NtReadFile + 4 8057CE02 3 Bytes [1D, 4F, 80]
PAGE ntoskrnl.exe!NtReadFile + 37 8057CE35 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!NtReadFile + 6A 8057CE68 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtReadFile + A3 8057CEA1 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtSetInformationProcess + 7 8057CFC7 3 Bytes [1E, 4F, 80]
PAGE ntoskrnl.exe!NtSetInformationProcess + 73 8057D033 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtSetInformationProcess + DB 8057D09B 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!NtSetInformationProcess + 153 8057D113 3 Bytes [79, 55, 80]
PAGE ntoskrnl.exe!NtSetInformationProcess + 230 8057D1F0 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ZwQueryVirtualMemory + 7 8057D249 3 Bytes [1C, 4F, 80]
PAGE ntoskrnl.exe!ZwQueryVirtualMemory + 73 8057D2B5 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryVirtualMemory + D6 8057D318 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ZwQueryVirtualMemory + 233 8057D475 3 Bytes [79, 55, 80]
PAGE ntoskrnl.exe!ZwQueryVirtualMemory + 2EF 8057D531 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!CcMapData + 4 8057D5CE 3 Bytes [2A, 4F, 80] {SUB CL, [EDI-0x80]}
PAGE ntoskrnl.exe!CcMapData + 53 8057D61D 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!CcMapData + 59 8057D623 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
PAGE ntoskrnl.exe!CcMapData + 5D 8057D627 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!CcMapData + 100 8057D6CA 3 Bytes [97, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!CcPinMappedData + 4 8057D77F 3 Bytes [37, 4F, 80]
PAGE ntoskrnl.exe!CcPinMappedData + 44 8057D7BF 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!FsRtlNotifyFilterReportChange + 4 8057D885 3 Bytes [37, 4F, 80]
PAGE ntoskrnl.exe!FsRtlGetFileSize + 10F 8057DD51 3 Bytes [31, 56, 80] {XOR [ESI-0x80], EDX}
PAGE ntoskrnl.exe!FsRtlGetFileSize + 133 8057DD75 3 Bytes [31, 56, 80] {XOR [ESI-0x80], EDX}
PAGE ntoskrnl.exe!FsRtlGetFileSize + 141 8057DD83 3 Bytes [79, 56, 80]
PAGE ntoskrnl.exe!FsRtlGetFileSize + 1A8 8057DDEA 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlGetFileSize + 27F 8057DEC1 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ZwUnmapViewOfSection + 20 8057DF11 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwUnmapViewOfSection + 35 8057DF26 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!MmMapViewOfSection + 92 8057DFEA 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!MmMapViewOfSection + E8 8057E040 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!MmMapViewOfSection + 27A 8057E1D2 3 Bytes [63, 4F, 80] {ARPL [EDI-0x80], CX}
PAGE ntoskrnl.exe!NtMapViewOfSection + 4 8057E36D 3 Bytes [63, 4F, 80] {ARPL [EDI-0x80], CX}
PAGE ntoskrnl.exe!NtMapViewOfSection + 5F 8057E3C8 3 Bytes [7B, 55, 80]
PAGE ntoskrnl.exe!NtMapViewOfSection + 8C 8057E3F5 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtMapViewOfSection + A0 8057E409 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtMapViewOfSection + D2 8057E43B 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!NtQueryInformationFile + 4 8057E68C 3 Bytes [63, 4F, 80] {ARPL [EDI-0x80], CX}
PAGE ntoskrnl.exe!NtQueryInformationFile + 3A 8057E6C2 3 Bytes CALL 40DC671E
PAGE ntoskrnl.exe!NtQueryInformationFile + 59 8057E6E1 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtQueryInformationFile + 83 8057E70B 3 Bytes CALL CDE56767
PAGE ntoskrnl.exe!NtQueryInformationFile + 94 8057E71C 3 Bytes [0D, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!CcCopyRead + 4 8057EB36 3 Bytes [64, 4F, 80]
PAGE ntoskrnl.exe!CcCopyRead + 78 8057EBAA 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
PAGE ntoskrnl.exe!CcCopyRead + 7C 8057EBAE 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!CcCopyRead + 19D 8057ECCF 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
PAGE ntoskrnl.exe!CcCopyRead + 1A1 8057ECD3 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!IoCheckShareAccess + 11B 8057EE49 3 Bytes CALL 7FD857FA
PAGE ntoskrnl.exe!IoCheckShareAccess + 12A 8057EE58 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!FsRtlDissectName + F3 8057EF6B 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!FsRtlDissectName + 115 8057EF8D 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!ZwCreateMutant + 4 8057F3BC 3 Bytes [A8, 4F, 80]
PAGE ntoskrnl.exe!ZwCreateMutant + 2C 8057F3E4 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateMutant + 3D 8057F3F5 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwOpenMutant + 4 8057F46A 3 Bytes [37, 4F, 80]
PAGE ntoskrnl.exe!ZwOpenMutant + 2C 8057F492 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwOpenMutant + 4A 8057F4B0 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!NtSetInformationFile + 4 8057F4E9 3 Bytes [2B, 4F, 80] {SUB ECX, [EDI-0x80]}
PAGE ntoskrnl.exe!NtSetInformationFile + 3F 8057F524 3 Bytes [F6, 57, 80] {NOT BYTE [EDI-0x80]}
PAGE ntoskrnl.exe!NtSetInformationFile + 5E 8057F543 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtSetInformationFile + 9E 8057F583 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtSetInformationFile + B2 8057F597 3 Bytes [F6, 57, 80] {NOT BYTE [EDI-0x80]}
PAGE ...
PAGE ntoskrnl.exe!NtWriteFile + 4 8057F769 3 Bytes [70, 4F, 80]
PAGE ntoskrnl.exe!NtWriteFile + 68 8057F7CD 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtWriteFile + 95 8057F7FA 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtWriteFile + 24E 8057F9B3 3 Bytes [07, 56, 80]
PAGE ntoskrnl.exe!NtWriteFile + 25A 8057F9BF 3 Bytes [7D, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!CcPinRead + 4 8057FD49 3 Bytes [38, 4F, 80] {CMP [EDI-0x80], CL}
PAGE ntoskrnl.exe!CcPinRead + 32 8057FD77 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!CcPinRead + 38 8057FD7D 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
PAGE ntoskrnl.exe!CcPinRead + 3C 8057FD81 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!CcPinRead + E0 8057FE25 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
PAGE ...
PAGE ntoskrnl.exe!CcFastCopyRead + 4 8057FEAC 3 Bytes [1E, 4F, 80]
PAGE ntoskrnl.exe!CcFastCopyRead + 5D 8057FF05 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
PAGE ntoskrnl.exe!CcFastCopyRead + 61 8057FF09 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!CcFastCopyRead + 18B 80580033 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
PAGE ntoskrnl.exe!CcFastCopyRead + 18F 80580037 3 Bytes [F5, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlAreAnyAccessesGranted + 93 80580148 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!RtlAreAnyAccessesGranted + 9E 80580153 3 Bytes [79, 56, 80]
PAGE ntoskrnl.exe!RtlGetDefaultCodePage + 9 805801BA 3 Bytes [A4, 69, 80]
PAGE ntoskrnl.exe!RtlGetDefaultCodePage + 19 805801CA 3 Bytes [A4, 69, 80]
PAGE ntoskrnl.exe!RtlGetDefaultCodePage + 2C 805801DD 3 Bytes [3A, 4F, 80] {CMP CL, [EDI-0x80]}
PAGE ntoskrnl.exe!RtlGetDefaultCodePage + 60 80580211 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!RtlGetDefaultCodePage + AA 8058025B 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!NtFsControlFile + 121 8058050C 3 Bytes [A9, 56, 80]
PAGE ntoskrnl.exe!SeQuerySessionIdToken + 94 805806C5 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!RtlFreeHeap + 4 805808E9 3 Bytes [92, 4E, 80]
PAGE ntoskrnl.exe!RtlLookupAtomInAtomTable + 4 80580B53 3 Bytes [92, 4E, 80]
PAGE ntoskrnl.exe!RtlLookupAtomInAtomTable + 9B 80580BEA 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!PsLookupThreadByThreadId + 1B 80580C33 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsLookupThreadByThreadId + 59 80580C71 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!RtlDeleteAtomFromAtomTable + 4 80580C98 3 Bytes CALL 68D85BDE
PAGE ntoskrnl.exe!RtlAllocateHeap + 7 80580D24 3 Bytes [92, 4E, 80]
PAGE ntoskrnl.exe!RtlAllocateHeap + 395 805810B2 3 Bytes [01, 4F, 80] {ADD [EDI-0x80], ECX}
PAGE ntoskrnl.exe!RtlAllocateHeap + 40B 80581128 3 Bytes [01, 4F, 80] {ADD [EDI-0x80], ECX}
PAGE ntoskrnl.exe!RtlAllocateHeap + 499 805811B6 3 Bytes [01, 4F, 80] {ADD [EDI-0x80], ECX}
PAGE ntoskrnl.exe!RtlAllocateHeap + 4A8 805811C5 3 Bytes [01, 4F, 80] {ADD [EDI-0x80], ECX}
PAGE ntoskrnl.exe!NtDuplicateObject + 4 8058121A 3 Bytes [93, 4E, 80]
PAGE ntoskrnl.exe!NtDuplicateObject + 30 80581246 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtDuplicateObject + 50 80581266 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!NtDuplicateObject + 79 8058128F 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!NtDuplicateObject + 317 8058152D 3 Bytes [07, 56, 80]
PAGE ntoskrnl.exe!PsLookupProcessByProcessId + 1B 8058169A 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsLookupProcessByProcessId + 59 805816D8 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!NtOpenProcess + 7 80581709 3 Bytes CALL 68D86650
PAGE ntoskrnl.exe!NtOpenProcess + 36 80581738 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtOpenProcess + 56 80581758 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtOpenProcess + A9 805817AB 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!NtOpenProcess + D4 805817D6 3 Bytes [AC, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwProtectVirtualMemory + 4 8058188D 3 Bytes [17, 4F, 80]
PAGE ntoskrnl.exe!ZwProtectVirtualMemory + 47 805818D0 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwProtectVirtualMemory + 5B 805818E4 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwProtectVirtualMemory + 6F 805818F8 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwProtectVirtualMemory + 8E 80581917 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!NtQueryDirectoryFile + 64 80581EC5 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlIsNameInExpression + 4 80581F24 3 Bytes [65, 4F, 80]
PAGE ntoskrnl.exe!FsRtlIsNameInExpression + 6C 80581F8C 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!FsRtlIsNameInExpression + 1F4 80582114 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!FsRtlIsNameInExpression + 218 80582138 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!FsRtlIsNameInExpression + 25F 8058217F 3 Bytes [41, 4F, 80]
PAGE ntoskrnl.exe!ZwSetValueKey + 4 80582290 3 Bytes [42, 4F, 80]
PAGE ntoskrnl.exe!ZwSetValueKey + 23 805822AF 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwSetValueKey + 46 805822D2 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwSetValueKey + 61 805822ED 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwSetValueKey + D3 8058235F 3 Bytes [A0, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!NtAddAtom + 7 805825B1 3 Bytes [42, 4F, 80]
PAGE ntoskrnl.exe!NtAddAtom + 11 805825BB 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!NtAddAtom + 7B 80582625 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtAddAtom + C5 8058266F 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtAddAtom + 2F0 8058289A 3 Bytes [B3, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlUnicodeToMultiByteN + F 80582CDB 3 Bytes [A5, 69, 80]
PAGE ntoskrnl.exe!RtlUnicodeToMultiByteN + 37 80582D03 3 Bytes [A5, 69, 80]
PAGE ntoskrnl.exe!RtlUnicodeToMultiByteN + 10F 80582DDB 3 Bytes [2E, 58, 80]
PAGE ntoskrnl.exe!RtlUnicodeToMultiByteN + 12E 80582DFA 3 Bytes [A5, 69, 80]
PAGE ntoskrnl.exe!RtlUnicodeToMultiByteN + 165 80582E31 3 Bytes [2D, 58, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlUnicodeStringToAnsiString + C 80582E81 3 Bytes [A5, 69, 80]
PAGE ntoskrnl.exe!ZwReplyPort + 4 80583146 3 Bytes [40, 4F, 80]
PAGE ntoskrnl.exe!ZwReplyPort + 3D 8058317F 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwReplyPort + 7E 805831C0 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!ZwReplyPort + D5 80583217 3 Bytes [BB, 55, 80]
PAGE ntoskrnl.exe!ZwReplyPort + 100 80583242 3 Bytes [2E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!NtDuplicateToken + 4 8058344D 3 Bytes [41, 4F, 80]
PAGE ntoskrnl.exe!NtDuplicateToken + 40 80583489 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtDuplicateToken + 7F 805834C8 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!NtDuplicateToken + 175 805835BE 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!LpcRequestPort + 7C 80583675 3 Bytes [BB, 55, 80]
PAGE ntoskrnl.exe!LpcRequestPort + CA 805836C3 3 Bytes [2E, 56, 80]
PAGE ntoskrnl.exe!LpcRequestPort + D0 805836C9 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!LpcRequestPort + D9 805836D2 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!LpcRequestPort + 127 80583720 3 Bytes [A2, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwTerminateThread + 3B 80583922 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ObSetHandleAttributes + 48 80583B85 3 Bytes [3B, 58, 80] {CMP EBX, [EAX-0x80]}
PAGE ntoskrnl.exe!ObSetHandleAttributes + 95 80583BD2 3 Bytes [7D, 55, 80]
PAGE ntoskrnl.exe!ObSetHandleAttributes + B0 80583BED 3 Bytes [A3, 4F, 80]
PAGE ntoskrnl.exe!ObSetHandleAttributes + D1 80583C0E 3 Bytes [A2, 69, 80]
PAGE ntoskrnl.exe!ObSetHandleAttributes + E1 80583C1E 3 Bytes [25, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!SeImpersonateClientEx + 140 80583ED1 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!SeImpersonateClientEx + 181 80583F12 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!SeImpersonateClientEx + 1B1 80583F42 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!SeImpersonateClientEx + 1F2 80583F83 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!SeImpersonateClientEx + 216 80583FA7 3 Bytes [3E, 4F, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwAccessCheck + 38 80584390 3 Bytes CALL 68D892D5
PAGE ntoskrnl.exe!ZwAccessCheck + 18E 805844E6 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwAccessCheck + 1F8 80584550 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!IoCreateStreamFileObjectLite + 38 8058461C 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!IoCreateStreamFileObjectLite + 2D7 805848BB 3 Bytes [33, 56, 80] {XOR EDX, [ESI-0x80]}
PAGE ntoskrnl.exe!IoCreateStreamFileObjectLite + 38C 80584970 3 Bytes [34, 56, 80]
PAGE ntoskrnl.exe!IoCreateStreamFileObjectLite + 3A6 8058498A 3 Bytes [7C, 55, 80]
PAGE ntoskrnl.exe!IoCreateStreamFileObjectLite + 47B 80584A5F 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!SePrivilegeObjectAuditAlarm + 24 80584AD9 3 Bytes [7B, 57, 80]
PAGE ntoskrnl.exe!IoCreateFileSpecifyDeviceObjectHint + EF 80584D65 3 Bytes [33, 4F, 80] {XOR ECX, [EDI-0x80]}
PAGE ntoskrnl.exe!IoCreateFileSpecifyDeviceObjectHint + 185 80584DFB 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryFullAttributesFile + 7 80584F28 3 Bytes [33, 4F, 80] {XOR ECX, [EDI-0x80]}
PAGE ntoskrnl.exe!ZwQueryFullAttributesFile + 11 80584F32 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!ZwQueryFullAttributesFile + 3F 80584F60 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtConnectPort + 4B 805855B0 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtConnectPort + A3 80585608 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtConnectPort + C9 8058562E 3 Bytes [A9, 56, 80]
PAGE ntoskrnl.exe!NtConnectPort + 107 8058566C 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ZwReleaseSemaphore + 4 805858E2 3 Bytes [1A, 4F, 80] {SBB CL, [EDI-0x80]}
PAGE ntoskrnl.exe!ZwReleaseSemaphore + 2D 8058590B 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwReleaseSemaphore + 54 80585932 3 Bytes [A5, 56, 80]
PAGE ntoskrnl.exe!ZwReleaseSemaphore + 79 80585957 3 Bytes [82, 55, 80]
PAGE ntoskrnl.exe!ZwReleaseSemaphore + 320 80585BFE 3 Bytes [79, 55, 80]
PAGE ntoskrnl.exe!RtlNtStatusToDosError + 4 80585C2A 3 Bytes [74, 51, 80]
PAGE ntoskrnl.exe!ZwFlushBuffersFile + 4 80585CF1 3 Bytes [2C, 4F, 80]
PAGE ntoskrnl.exe!ZwFlushBuffersFile + 36 80585D23 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!ZwFlushBuffersFile + 133 80585E20 3 Bytes [2D, 4F, 80]
PAGE ntoskrnl.exe!ZwFlushBuffersFile + 194 80585E81 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwFlushBuffersFile + 1DA 80585EC7 3 Bytes [A9, 56, 80]
PAGE ntoskrnl.exe!ProbeForRead + 26 80585F27 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ProbeForRead + 7F 80585F80 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!ZwAlertThread + 21 80585FC4 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!NtQuerySystemInformation + 7 80585FFA 3 Bytes [17, 4F, 80]
PAGE ntoskrnl.exe!NtQuerySystemInformation + 5E 80586051 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtQuerySystemInformation + 83 80586076 3 Bytes [67, 58, 80]
PAGE ntoskrnl.exe!NtQuerySystemInformation + 8A 8058607D 3 Bytes [66, 58, 80]
PAGE ntoskrnl.exe!NtQuerySystemInformation + 1B0 805861A3 3 Bytes [24, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwCreateThread + 4 80586C49 3 Bytes [9D, 4F, 80]
PAGE ntoskrnl.exe!ZwCreateThread + 28 80586C6D 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateThread + 46 80586C8B 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateThread + 7A 80586CBF 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateThread + F2 80586D37 3 Bytes [9D, 4F, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwTestAlert + 26 80586DCA 3 Bytes [9D, 4F, 80]
PAGE ntoskrnl.exe!ZwTestAlert + 98 80586E3C 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!ZwTestAlert + B9 80586E5D 3 Bytes CALL 80D8C454
PAGE ntoskrnl.exe!ZwTestAlert + 145 80586EE9 3 Bytes [6D, 58, 80]
PAGE ntoskrnl.exe!ZwTestAlert + 16D 80586F11 3 Bytes [A2, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwResumeThread + 4 805872C0 3 Bytes [9D, 4F, 80]
PAGE ntoskrnl.exe!ZwResumeThread + 30 805872EC 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwResumeThread + 4E 8058730A 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwRegisterThreadTerminatePort + 24 805873BA 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!ZwRegisterThreadTerminatePort + 220 805875B6 3 Bytes [AC, 4F, 80]
PAGE ntoskrnl.exe!ZwEnumerateValueKey + 4 80587697 3 Bytes [AC, 4F, 80]
PAGE ntoskrnl.exe!ZwEnumerateValueKey + 14 805876A7 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwEnumerateValueKey + 40 805876D3 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwEnumerateValueKey + 5A 805876ED 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwEnumerateValueKey + 85 80587718 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwCompleteConnectPort + 23 805877DC 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!ZwCompleteConnectPort + 56 8058780F 3 Bytes [2E, 56, 80]
PAGE ntoskrnl.exe!ZwCompleteConnectPort + 5E 80587817 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ZwCompleteConnectPort + 69 80587822 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!ZwCompleteConnectPort + C9 80587882 3 Bytes [2F, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwFlushInstructionCache + 4 80587BFF 3 Bytes [36, 4F, 80]
PAGE ntoskrnl.exe!ZwFlushInstructionCache + 48 80587C43 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwFlushInstructionCache + 172 80587D6D 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwFlushInstructionCache + 203 80587DFE 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwFlushInstructionCache + 287 80587E82 3 Bytes [63, 4F, 80] {ARPL [EDI-0x80], CX}
PAGE ...
PAGE ntoskrnl.exe!ZwQuerySection + 4 8058804C 3 Bytes [A7, 4F, 80]
PAGE ntoskrnl.exe!ZwQuerySection + 76 805880BE 3 Bytes [7C, 56, 80]
PAGE ntoskrnl.exe!ZwQuerySection + DB 80588123 3 Bytes [A7, 4F, 80]
PAGE ntoskrnl.exe!ZwQuerySection + 147 8058818F 3 Bytes [79, 56, 80]
PAGE ntoskrnl.exe!ZwQuerySection + 187 805881CF 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwReadVirtualMemory + 4 805884D0 3 Bytes [5F, 4F, 80]
PAGE ntoskrnl.exe!ZwReadVirtualMemory + 46 80588512 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwReadVirtualMemory + 66 80588532 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwReadVirtualMemory + 90 8058855C 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwWriteVirtualMemory + 4 805885C8 3 Bytes [5F, 4F, 80]
PAGE ntoskrnl.exe!ZwWriteVirtualMemory + 46 8058860A 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwWriteVirtualMemory + 7B 8058863F 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwImpersonateThread + 4 80588693 3 Bytes [AB, 4F, 80]
PAGE ntoskrnl.exe!ZwImpersonateThread + E 8058869D 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!ZwImpersonateThread + 45 805886D4 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwImpersonateThread + 68 805886F7 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwImpersonateThread + 88 80588717 3 Bytes [97, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!NtDeviceIoControlFile + 46 805889EE 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtDeviceIoControlFile + D2 80588A7A 3 Bytes [0E, 56, 80]
PAGE ntoskrnl.exe!NtDeviceIoControlFile + F5 80588A9D 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!NtDeviceIoControlFile + 157 80588AFF 3 Bytes [8B, 58, 80] {MOV EBX, [EAX-0x80]}
PAGE ntoskrnl.exe!NtDeviceIoControlFile + 18B 80588B33 3 Bytes [0E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwCreateNamedPipeFile + 4 80588CB0 3 Bytes [AC, 4F, 80]
PAGE ntoskrnl.exe!ZwCreateNamedPipeFile + 3D 80588CE9 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!RtlAnsiStringToUnicodeString + B 80588DFD 3 Bytes [A5, 69, 80]
PAGE ntoskrnl.exe!RtlIntegerToUnicodeString + A 80588F1F 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlIntegerToUnicodeString + 2F8 8058920D 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlIntegerToUnicodeString + 331 80589246 3 Bytes [93, 58, 80]
PAGE ntoskrnl.exe!RtlIntegerToUnicodeString + 445 8058935A 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlIntegerToUnicodeString + 455 8058936A 3 Bytes [93, 58, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryDefaultUILanguage + 4 8058948B 3 Bytes [AB, 4F, 80]
PAGE ntoskrnl.exe!ZwQueryDefaultUILanguage + 2C 805894B3 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryDefaultUILanguage + 42 805894C9 3 Bytes [94, 58, 80]
PAGE ntoskrnl.exe!ZwQueryDefaultUILanguage + 51 805894D8 3 Bytes [A2, 69, 80]
PAGE ntoskrnl.exe!RtlConvertSidToUnicodeString + D 80589584 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlConvertSidToUnicodeString + 3F 805895B6 3 Bytes [96, 58, 80]
PAGE ntoskrnl.exe!RtlFormatCurrentUserKeyPath + A 805896EF 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlFormatCurrentUserKeyPath + 9B 80589780 3 Bytes [AE, 57, 80]
PAGE ntoskrnl.exe!RtlFormatCurrentUserKeyPath + AB 80589790 3 Bytes [97, 58, 80]
PAGE ntoskrnl.exe!RtlIntegerToUnicode + 4 80589824 3 Bytes CALL 68D8E7D4
PAGE ntoskrnl.exe!RtlIntegerToUnicode + E 8058982E 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlIntegerToUnicode + 6B 8058988B 3 Bytes [99, 58, 80]
PAGE ntoskrnl.exe!ZwOpenEvent + 4 80589A55 3 Bytes [60, 4F, 80]
PAGE ntoskrnl.exe!ZwOpenEvent + 2C 80589A7D 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwOpenEvent + 50 80589AA1 3 Bytes [A9, 56, 80]
PAGE ntoskrnl.exe!ZwSetInformationObject + 4 80589B3D 3 Bytes [60, 4F, 80]
PAGE ntoskrnl.exe!ZwSetInformationObject + 4D 80589B86 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryInstallUILanguage + 4 80589BBE 3 Bytes [AC, 4F, 80]
PAGE ntoskrnl.exe!ZwQueryInstallUILanguage + 2C 80589BE6 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryInstallUILanguage + 40 80589BFA 3 Bytes [A2, 69, 80]
PAGE ntoskrnl.exe!ZwQueryInstallUILanguage + 5A 80589C14 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ZwQueryInstallUILanguage + 118 80589CD2 3 Bytes [C0, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryEvent + 4 80589E24 3 Bytes [E3, 4F, 80]
PAGE ntoskrnl.exe!ZwQueryEvent + 62 80589E82 3 Bytes [A9, 56, 80]
PAGE ntoskrnl.exe!ZwQuerySymbolicLinkObject + 4 80589EAE 3 Bytes [E3, 4F, 80]
PAGE ntoskrnl.exe!ZwQuerySymbolicLinkObject + 36 80589EE0 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQuerySymbolicLinkObject + 4D 80589EF7 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQuerySymbolicLinkObject + 7F 80589F29 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQuerySymbolicLinkObject + 9D 80589F47 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!ZwOpenSymbolicLinkObject + 4 8058A03D 3 Bytes [E2, 4F, 80]
PAGE ntoskrnl.exe!ZwOpenSymbolicLinkObject + 2D 8058A066 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwOpenSymbolicLinkObject + 4F 8058A088 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!ZwOpenDirectoryObject + 4 8058A0BA 3 Bytes [E3, 4F, 80]
PAGE ntoskrnl.exe!ZwOpenDirectoryObject + 2D 8058A0E3 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwOpenDirectoryObject + 4F 8058A105 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!ZwOpenDirectoryObject + 13B 8058A1F1 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!ZwOpenDirectoryObject + 15B 8058A211 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!ZwQueryObject + 7 8058A277 3 Bytes [E1, 4F, 80]
PAGE ntoskrnl.exe!ZwQueryObject + 14B 8058A3BB 3 Bytes [25, 56, 80]
PAGE ntoskrnl.exe!ZwQueryObject + 156 8058A3C6 3 Bytes [25, 56, 80]
PAGE ntoskrnl.exe!ZwQueryObject + 161 8058A3D1 3 Bytes [A8, 56, 80]
PAGE ntoskrnl.exe!ZwQueryObject + 16C 8058A3DC 3 Bytes [A8, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlIntegerToChar + 4 8058A453 3 Bytes [60, 4F, 80]
PAGE ntoskrnl.exe!RtlIntegerToChar + E 8058A45D 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlIntegerToChar + 67 8058A4B6 3 Bytes [A5, 58, 80]
PAGE ntoskrnl.exe!ObQueryNameString + 7 8058A540 3 Bytes [E1, 4F, 80]
PAGE ntoskrnl.exe!ObQueryNameString + AD 8058A5E6 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!ObQueryNameString + ED 8058A626 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!ObQueryNameString + 28D 8058A7C6 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!ObQueryNameString + 2ED 8058A826 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ...
PAGE ntoskrnl.exe!ZwQuerySystemTime + 4 8058ABF4 3 Bytes [5F, 4F, 80]
PAGE ntoskrnl.exe!ZwQuerySystemTime + 28 8058AC18 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!SeQueryInformationToken + 19 8058ADDA 3 Bytes [B2, 58, 80]
PAGE ntoskrnl.exe!SeQueryInformationToken + C7 8058AE88 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!SeQueryInformationToken + DA 8058AE9B 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!SeQueryInformationToken + 37D 8058B13E 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!SeQueryInformationToken + 4DA 8058B29B 3 Bytes [AD, 58, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwCreateProcessEx + 4 8058B7D1 3 Bytes [F5, 4F, 80]
PAGE ntoskrnl.exe!ZwCreateProcessEx + 28 8058B7F5 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateProcessEx + 79 8058B846 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!ZwCreateProcessEx + 89 8058B856 3 Bytes CALL 09D90E4D
PAGE ntoskrnl.exe!ZwCreateProcessEx + 9E 8058B86B 3 Bytes [F3, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwOpenKeyedEvent + 4 8058BA23 3 Bytes [F5, 4F, 80]
PAGE ntoskrnl.exe!ZwOpenKeyedEvent + 32 8058BA51 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwOpenKeyedEvent + 52 8058BA71 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwOpenKeyedEvent + B5 8058BAD4 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwOpenKeyedEvent + 1AF 8058BBCE 3 Bytes [AE, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryInformationJobObject + 7 8058BEDB 3 Bytes [F6, 4F, 80]
PAGE ntoskrnl.exe!ZwQueryInformationJobObject + 3A 8058BF0E 3 Bytes [BF, 58, 80]
PAGE ntoskrnl.exe!ZwQueryInformationJobObject + 44 8058BF18 3 Bytes [BF, 58, 80]
PAGE ntoskrnl.exe!ZwQueryInformationJobObject + 311 8058C1E5 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ZwQueryInformationJobObject + 321 8058C1F5 3 Bytes [96, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlRandom + 3F 8058CBB4 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlRandom + 1E0 8058CD55 3 Bytes [D0, 58, 80] {RCR BYTE [EAX-0x80], 0x1}
PAGE ntoskrnl.exe!RtlRandom + 25E 8058CDD3 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwQueryTimerResolution + 4 8058CE01 3 Bytes [F6, 4F, 80]
PAGE ntoskrnl.exe!ZwQueryTimerResolution + 2A 8058CE27 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryTimerResolution + 3E 8058CE3B 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryTimerResolution + 53 8058CE50 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryTimerResolution + 65 8058CE62 3 Bytes [A0, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!PsSetProcessWin32Process + 9A 8058DB0C 3 Bytes [CE, 55, 80]
PAGE ntoskrnl.exe!PsSetProcessWin32Process + B0 8058DB22 3 Bytes [81, 55, 80]
PAGE ntoskrnl.exe!PsSetProcessWin32Process + 1D8 8058DC4A 3 Bytes [A9, 56, 80]
PAGE ntoskrnl.exe!PsSetProcessWin32Process + 1F0 8058DC62 3 Bytes [A9, 56, 80]
PAGE ntoskrnl.exe!PsSetProcessWin32Process + 201 8058DC73 3 Bytes [A9, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!SeTokenIsWriteRestricted + D5 8058E2C9 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ExRundownCompleted + 36 8058E408 3 Bytes [A2, 69, 80]
PAGE ntoskrnl.exe!ExRundownCompleted + BC 8058E48E 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ExRundownCompleted + 19F 8058E571 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ExRundownCompleted + 231 8058E603 3 Bytes [98, 56, 80]
PAGE ntoskrnl.exe!ExRundownCompleted + 278 8058E64A 3 Bytes [F2, 55, 80]
PAGE ntoskrnl.exe!ZwTerminateProcess + 3C 8058E6D1 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwTerminateProcess + 2BF 8058E954 3 Bytes JMP 50C169B1
PAGE ntoskrnl.exe!ZwTerminateProcess + 2C4 8058E959 3 Bytes [7B, 57, 80]
PAGE ntoskrnl.exe!ZwTerminateProcess + 2C9 8058E95E 3 Bytes [EB, 58, 80]
PAGE ntoskrnl.exe!ZwTerminateProcess + 2FF 8058E994 3 Bytes JMP 50C169F1
PAGE ...
PAGE ntoskrnl.exe!RtlRemoveUnicodePrefix + 104 8058F083 3 Bytes [34, 56, 80]
PAGE ntoskrnl.exe!RtlRemoveUnicodePrefix + 118 8058F097 3 Bytes [33, 56, 80] {XOR EDX, [ESI-0x80]}
PAGE ntoskrnl.exe!RtlRemoveUnicodePrefix + 11D 8058F09C 3 Bytes [34, 56, 80]
PAGE ntoskrnl.exe!RtlRemoveUnicodePrefix + 12E 8058F0AD 3 Bytes [34, 56, 80]
PAGE ntoskrnl.exe!RtlRemoveUnicodePrefix + 381 8058F300 3 Bytes [50, 4E, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryDirectoryObject + 4 8058FA6E 3 Bytes CALL 68D94A0D
PAGE ntoskrnl.exe!ZwQueryDirectoryObject + 84 8058FAEE 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!ZwQueryDirectoryObject + 134 8058FB9E 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryDirectoryObject + 14F 8058FBB9 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryDirectoryObject + 597 80590001 3 Bytes CALL E6D969A8
PAGE ntoskrnl.exe!RtlFindUnicodePrefix + F7 8059019E 3 Bytes [2E, 56, 80]
PAGE ntoskrnl.exe!RtlFindUnicodePrefix + 181 80590228 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!RtlFindUnicodePrefix + 18A 80590231 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!RtlFindUnicodePrefix + 1B6 8059025D 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!RtlFindUnicodePrefix + 1BF 80590266 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwSecureConnectPort + 7 80590438 3 Bytes [73, 4F, 80]
PAGE ntoskrnl.exe!ZwSecureConnectPort + 3C 8059046D 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwSecureConnectPort + 54 80590485 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwSecureConnectPort + A0 805904D1 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwSecureConnectPort + DD 8059050E 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwAcceptConnectPort + 7 80590C02 3 Bytes [73, 4F, 80]
PAGE ntoskrnl.exe!ZwAcceptConnectPort + 30 80590C2B 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwAcceptConnectPort + 4B 80590C46 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwAcceptConnectPort + CA 80590CC5 3 Bytes [2E, 56, 80]
PAGE ntoskrnl.exe!ZwAcceptConnectPort + D0 80590CCB 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!ObReferenceObjectByName + 261 805912B0 3 Bytes [3F, 51, 80]
PAGE ntoskrnl.exe!ObReferenceObjectByName + 5C7 80591616 3 Bytes [3F, 51, 80]
PAGE ntoskrnl.exe!ObReferenceObjectByName + 934 80591983 3 Bytes [3E, 51, 80]
PAGE ntoskrnl.exe!ObReferenceObjectByName + A46 80591A95 3 Bytes [3E, 51, 80]
PAGE ntoskrnl.exe!ObReferenceObjectByName + A5A 80591AA9 3 Bytes CALL 68D96BED
PAGE ...
PAGE ntoskrnl.exe!ZwDeleteValueKey + 4 80591F8F 3 Bytes [40, 51, 80]
PAGE ntoskrnl.exe!ZwDeleteValueKey + 20 80591FAB 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwDeleteValueKey + 43 80591FCE 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwDeleteValueKey + 61 80591FEC 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwDeleteValueKey + 7B 80592006 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwDeleteKey + 4 80593338 3 Bytes [40, 51, 80]
PAGE ntoskrnl.exe!ZwDeleteKey + 13 80593347 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwDeleteKey + 39 8059336D 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwDeleteKey + 56 8059338A 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!ZwDeleteKey + 62 80593396 3 Bytes [B3, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlGetNtGlobalFlags + 2 80593930 3 Bytes [07, 56, 80]
PAGE ntoskrnl.exe!RtlUnicodeStringToInteger + 4 8059393D 3 Bytes [51, 51, 80]
PAGE ntoskrnl.exe!RtlUnicodeStringToInteger + 102 80593A3B 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!RtlUnicodeStringToInteger + 11D 80593A56 3 Bytes [A0, 55, 80]
PAGE ntoskrnl.exe!RtlUnicodeStringToInteger + 1E5 80593B1E 3 Bytes [9F, 56, 80]
PAGE ntoskrnl.exe!RtlUnicodeStringToInteger + 248 80593B81 3 Bytes [95, 51, 80]
PAGE ...
PAGE ntoskrnl.exe!MmPrefetchPages + 87 80594D7C 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!MmPrefetchPages + 7B3 805954A8 3 Bytes CALL F4D9AA9F
PAGE ntoskrnl.exe!MmPrefetchPages + 7BF 805954B4 3 Bytes [F3, 55, 80]
PAGE ntoskrnl.exe!MmPrefetchPages + B40 80595835 3 Bytes [7C, 56, 80]
PAGE ntoskrnl.exe!MmPrefetchPages + B77 8059586C 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!RtlQueryRegistryValues + 1BD 80595CA3 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlQueryRegistryValues + 448 80595F2E 3 Bytes [5F, 59, 80]
PAGE ntoskrnl.exe!RtlQueryRegistryValues + 475 80595F5B 3 Bytes [5F, 59, 80]
PAGE ntoskrnl.exe!RtlQueryRegistryValues + 490 80595F76 3 Bytes [5F, 59, 80]
PAGE ntoskrnl.exe!RtlQueryRegistryValues + 4C7 80595FAD 3 Bytes [61, 59, 80]
PAGE ...
PAGE ntoskrnl.exe!IoGetDeviceProperty + A 8059619F 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!IoGetDeviceProperty + 54 805961E9 3 Bytes [64, 59, 80]
PAGE ntoskrnl.exe!IoGetDeviceProperty + 59 805961EE 3 Bytes [62, 59, 80] {BOUND EBX, [ECX-0x80]}
PAGE ntoskrnl.exe!IoGetDeviceProperty + B0 80596245 3 Bytes [11, 56, 80] {ADC [ESI-0x80], EDX}
PAGE ntoskrnl.exe!IoGetDeviceProperty + 172 80596307 3 Bytes [B2, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlStringFromGUID + 19 80596BFE 3 Bytes [AE, 57, 80]
PAGE ntoskrnl.exe!RtlStringFromGUID + 61 80596C46 3 Bytes [6B, 59, 80]
PAGE ntoskrnl.exe!ZwPlugPlayControl + 1E 80596C7B 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwPlugPlayControl + 24 80596C81 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwPlugPlayControl + 48 80596CA5 3 Bytes [B4, 69, 80]
PAGE ntoskrnl.exe!ZwPlugPlayControl + DF 80596D3C 3 Bytes [87, 51, 80] {XCHG [ECX-0x80], EDX}
PAGE ntoskrnl.exe!ZwPlugPlayControl + 14D 80596DAA 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwPrivilegeCheck + 4 80596F5C 3 Bytes CALL A041EFB0
PAGE ntoskrnl.exe!ZwPrivilegeCheck + 34 80596F8C 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!ZwPrivilegeCheck + 66 80596FBE 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwPrivilegeCheck + 8B 80596FE3 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwPrivilegeCheck + B8 80597010 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!IoOpenDeviceRegistryKey + A 8059724C 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!IoOpenDeviceRegistryKey + 62 805972A4 3 Bytes [73, 59, 80]
PAGE ntoskrnl.exe!IoOpenDeviceRegistryKey + 76 805972B8 3 Bytes [11, 56, 80] {ADC [ESI-0x80], EDX}
PAGE ntoskrnl.exe!IoOpenDeviceRegistryKey + AF 805972F1 3 Bytes [73, 59, 80]
PAGE ntoskrnl.exe!IoOpenDeviceRegistryKey + 129 8059736B 3 Bytes [11, 56, 80] {ADC [ESI-0x80], EDX}
PAGE ntoskrnl.exe!IoUnregisterPlugPlayNotification + C 80597481 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!IoUnregisterPlugPlayNotification + 18 8059748D 3 Bytes [16, 56, 80]
PAGE ntoskrnl.exe!IoUnregisterPlugPlayNotification + 27 8059749C 3 Bytes [A1, 69, 80]
PAGE ntoskrnl.exe!IoUnregisterPlugPlayNotification + 34 805974A9 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!IoUnregisterPlugPlayNotification + 39 805974AE 3 Bytes [16, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!IoRegisterPlugPlayNotification + A 80597530 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!IoRegisterPlugPlayNotification + 2A 80597550 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!IoRegisterPlugPlayNotification + C4 805975EA 3 Bytes [17, 56, 80]
PAGE ntoskrnl.exe!IoRegisterPlugPlayNotification + F7 8059761D 3 Bytes [16, 56, 80]
PAGE ntoskrnl.exe!IoRegisterPlugPlayNotification + 102 80597628 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!IoGetDeviceInterfaces + 34 805976C0 3 Bytes [76, 59, 80]
PAGE ntoskrnl.exe!IoGetDeviceInterfaces + 85 80597711 3 Bytes [4F, 51, 80]
PAGE ntoskrnl.exe!IoGetDeviceInterfaces + 156 805977E2 3 Bytes [B4, 69, 80]
PAGE ntoskrnl.exe!IoGetDeviceInterfaces + 15B 805977E7 3 Bytes [B4, 69, 80]
PAGE ntoskrnl.exe!IoGetDeviceInterfaces + 1BE 8059784A 3 Bytes [B2, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwCreateTimer + 4 80597CB6 3 Bytes CALL 4641FD0A
PAGE ntoskrnl.exe!ZwCreateTimer + 2D 80597CDF 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateTimer + 5E 80597D10 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwCreateTimer + 76 80597D28 3 Bytes [7C, 4E, 80]
PAGE ntoskrnl.exe!RtlGetFirstRange + 41 80597E46 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!RtlGetFirstRange + C1 80597EC6 3 Bytes [0E, 56, 80]
PAGE ntoskrnl.exe!PsGetProcessExitTime + 4E 80597FBF 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!PsGetProcessExitTime + 78 80597FE9 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!ZwResetEvent + 4 80598022 3 Bytes [8A, 51, 80] {MOV DL, [ECX-0x80]}
PAGE ntoskrnl.exe!ZwResetEvent + 33 80598051 3 Bytes [A9, 56, 80]
PAGE ntoskrnl.exe!ZwResetEvent + 77 80598095 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!ZwResetEvent + 17B 80598199 3 Bytes [BB, 55, 80]
PAGE ntoskrnl.exe!ZwResetEvent + 1C4 805981E2 3 Bytes [2E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!FsRtlNotifyInitializeSync + 17E 80598611 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!FsRtlNotifyInitializeSync + 227 805986BA 3 Bytes [87, 59, 80] {XCHG [ECX-0x80], EBX}
PAGE ntoskrnl.exe!FsRtlNotifyInitializeSync + 26E 80598701 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!FsRtlNotifyInitializeSync + 275 80598708 3 Bytes [9F, 56, 80]
PAGE ntoskrnl.exe!FsRtlNotifyInitializeSync + 29B 8059872E 3 Bytes [9F, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwImpersonateAnonymousToken + 22 80598C00 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwImpersonateAnonymousToken + 42 80598C20 3 Bytes [8C, 59, 80] {MOV WORD [ECX-0x80], DS}
PAGE ntoskrnl.exe!ZwImpersonateAnonymousToken + 47 80598C25 3 Bytes [8C, 59, 80] {MOV WORD [ECX-0x80], DS}
PAGE ntoskrnl.exe!ZwImpersonateAnonymousToken + 5A 80598C38 3 Bytes [AB, 69, 80]
PAGE ntoskrnl.exe!ZwImpersonateAnonymousToken + 62 80598C40 3 Bytes [AB, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ObSetSecurityDescriptorInfo + 444 80599492 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!ObSetSecurityDescriptorInfo + 4CB 80599519 3 Bytes [95, 59, 80]
PAGE ntoskrnl.exe!ObSetSecurityDescriptorInfo + 674 805996C2 3 Bytes [81, 55, 80]
PAGE ntoskrnl.exe!ObSetSecurityDescriptorInfo + 6B2 80599700 3 Bytes [97, 59, 80]
PAGE ntoskrnl.exe!ObSetSecurityDescriptorInfo + 7CC 8059981A 3 Bytes [A3, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlGUIDFromString + E 8059A49E 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlGUIDFromString + 4A 8059A4DA 3 Bytes [6B, 59, 80]
PAGE ntoskrnl.exe!RtlGUIDFromString + 1F0 8059A680 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlGUIDFromString + 24E 8059A6DE 3 Bytes [A7, 59, 80]
PAGE ntoskrnl.exe!RtlGUIDFromString + 260 8059A6F0 3 Bytes [A7, 59, 80]
PAGE ntoskrnl.exe!IoOpenDeviceInterfaceRegistryKey + 19 8059A856 3 Bytes [11, 56, 80] {ADC [ESI-0x80], EDX}
PAGE ntoskrnl.exe!IoOpenDeviceInterfaceRegistryKey + 5E 8059A89B 3 Bytes [A8, 59, 80]
PAGE ntoskrnl.exe!IoOpenDeviceInterfaceRegistryKey + 1A1 8059A9DE 3 Bytes [AA, 59, 80]
PAGE ntoskrnl.exe!IoOpenDeviceInterfaceRegistryKey + 1A8 8059A9E5 3 Bytes [AA, 59, 80]
PAGE ntoskrnl.exe!IoOpenDeviceInterfaceRegistryKey + 2DD 8059AB1A 3 Bytes [11, 56, 80] {ADC [ESI-0x80], EDX}
PAGE ...
PAGE ntoskrnl.exe!ZwGetPlugPlayEvent + 4 8059B49B 3 Bytes [95, 51, 80]
PAGE ntoskrnl.exe!ZwGetPlugPlayEvent + 29 8059B4C0 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwGetPlugPlayEvent + 2F 8059B4C6 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwGetPlugPlayEvent + 42 8059B4D9 3 Bytes [A1, 69, 80]
PAGE ntoskrnl.exe!ZwGetPlugPlayEvent + 6C 8059B503 3 Bytes [A1, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!IoCreateDevice + D 8059B8CC 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!IoCreateDevice + EE 8059B9AD 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!IoCreateDevice + 2B1 8059BB70 3 Bytes [B2, 69, 80]
PAGE ntoskrnl.exe!IoCreateDevice + 3CD 8059BC8C 3 Bytes [BD, 59, 80]
PAGE ntoskrnl.exe!IoCreateDevice + 3E6 8059BCA5 3 Bytes [BD, 59, 80]
PAGE ...
PAGE ntoskrnl.exe!IoWMIRegistrationControl + F 8059C34E 3 Bytes [9F, 56, 80]
PAGE ntoskrnl.exe!IoWMIRegistrationControl + B0 8059C3EF 3 Bytes [14, 56, 80]
PAGE ntoskrnl.exe!IoWMIRegistrationControl + FF 8059C43E 3 Bytes [C4, 59, 80] {LES EBX, DWORD [ECX-0x80]}
PAGE ntoskrnl.exe!IoWMIRegistrationControl + 10C 8059C44B 3 Bytes [15, 56, 80]
PAGE ntoskrnl.exe!IoWMIRegistrationControl + 16A 8059C4A9 3 Bytes [A3, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlUpperChar + 1D4 8059E163 3 Bytes [DD, 59, 80] {FSTP QWORD [ECX-0x80]}
PAGE ntoskrnl.exe!RtlUpperChar + 1D8 8059E167 3 Bytes [DF, 59, 80] {FISTP WORD [ECX-0x80]}
PAGE ntoskrnl.exe!RtlUpperChar + 1DC 8059E16B 3 Bytes [DF, 59, 80] {FISTP WORD [ECX-0x80]}
PAGE ntoskrnl.exe!RtlUpperChar + 1E0 8059E16F 3 Bytes [DD, 59, 80] {FSTP QWORD [ECX-0x80]}
PAGE ntoskrnl.exe!RtlUpperChar + 1E4 8059E173 3 Bytes [DF, 59, 80] {FISTP WORD [ECX-0x80]}
PAGE ...
PAGE ntoskrnl.exe!ZwPowerInformation + 7 805A43AB 3 Bytes [95, 51, 80]
PAGE ntoskrnl.exe!ZwPowerInformation + 11 805A43B5 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!ZwPowerInformation + 95 805A4439 3 Bytes [49, 5A, 80]
PAGE ntoskrnl.exe!ZwPowerInformation + 14A 805A44EE 3 Bytes [8F, 56, 80]
PAGE ntoskrnl.exe!ZwPowerInformation + 14F 805A44F3 3 Bytes [8E, 56, 80] {MOV SS, [ESI-0x80]}
PAGE ...
PAGE ntoskrnl.exe!FsRtlNotifyVolumeEvent + A 805A5718 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!FsRtlNotifyVolumeEvent + 6A 805A5778 3 Bytes [58, 50, 80]
PAGE ntoskrnl.exe!FsRtlNotifyVolumeEvent + BA 805A57C8 3 Bytes [10, 56, 80] {ADC [ESI-0x80], DL}
PAGE ntoskrnl.exe!FsRtlNotifyVolumeEvent + 13C 805A584A 3 Bytes [58, 50, 80]
PAGE ntoskrnl.exe!FsRtlNotifyVolumeEvent + 3BC 805A5ACA 3 Bytes [A0, 55, 80]
PAGE ntoskrnl.exe!RtlCreateHeap + 7 805A5D7A 3 Bytes [A3, 51, 80]
PAGE ntoskrnl.exe!RtlCreateHeap + 83 805A5DF6 3 Bytes [79, 55, 80]
PAGE ntoskrnl.exe!RtlCreateHeap + 90 805A5E03 3 Bytes [79, 55, 80]
PAGE ntoskrnl.exe!RtlCreateHeap + 9D 805A5E10 3 Bytes [79, 55, 80]
PAGE ntoskrnl.exe!RtlCreateHeap + AA 805A5E1D 3 Bytes CALL 09DAB39B
PAGE ntoskrnl.exe!ZwSetInformationToken + 4 805A6178 3 Bytes [6E, 50, 80]
PAGE ntoskrnl.exe!ZwSetInformationToken + 4C 805A61C0 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwSetInformationToken + 98 805A620C 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!ZwSetInformationToken + FA 805A626E 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwSetInformationToken + 100 805A6274 3 Bytes [AC, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlCopyLuid + 105 805A6745 3 Bytes [AB, 69, 80]
PAGE ntoskrnl.exe!RtlCopyLuid + 130 805A6770 3 Bytes [AD, 69, 80]
PAGE ntoskrnl.exe!RtlCopyLuid + 13C 805A677C 3 Bytes [AD, 69, 80]
PAGE ntoskrnl.exe!RtlCopyLuid + 236 805A6876 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!RtlCopyLuid + 41D 805A6A5D 3 Bytes [AE, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwCreateToken + 7 805A6AE1 3 Bytes [6E, 50, 80]
PAGE ntoskrnl.exe!ZwCreateToken + 11 805A6AEB 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!ZwCreateToken + AD 805A6B87 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateToken + C7 805A6BA1 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateToken + E2 805A6BBC 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!KeFlushQueuedDpcs + 18 805A7634 3 Bytes [BA, 55, 80]
PAGE ntoskrnl.exe!KeFlushQueuedDpcs + CE 805A76EA 3 Bytes [15, 56, 80]
PAGE ntoskrnl.exe!KeFlushQueuedDpcs + EC 805A7708 3 Bytes [15, 56, 80]
PAGE ntoskrnl.exe!KeFlushQueuedDpcs + 1AC 805A77C8 3 Bytes [9F, 56, 80]
PAGE ntoskrnl.exe!KeFlushQueuedDpcs + 22C 805A7848 3 Bytes [7B, 50, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwLoadDriver + 4 805A8F9A 3 Bytes [88, 50, 80] {MOV [EAX-0x80], DL}
PAGE ntoskrnl.exe!ZwLoadDriver + 5E 805A8FF4 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwLoadDriver + 6E 805A9004 3 Bytes [90, 5A, 80]
PAGE ntoskrnl.exe!ZwLoadDriver + 163 805A90F9 3 Bytes [A1, 69, 80]
PAGE ntoskrnl.exe!ZwLoadDriver + 17E 805A9114 3 Bytes [91, 5A, 80]
PAGE ntoskrnl.exe!RtlGetAce + BB 805A9209 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!RtlGetAce + DC 805A922A 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!RtlGetAce + 115 805A9263 3 Bytes [AB, 69, 80]
PAGE ntoskrnl.exe!RtlGetAce + 178 805A92C6 3 Bytes [92, 5A, 80]
PAGE ntoskrnl.exe!RtlGetAce + 186 805A92D4 3 Bytes [93, 5A, 80]
PAGE ...
PAGE ntoskrnl.exe!IoRegisterFileSystem + C 805A9375 3 Bytes [0E, 56, 80]
PAGE ntoskrnl.exe!IoRegisterFileSystem + 33 805A939C 3 Bytes [0E, 56, 80]
PAGE ntoskrnl.exe!IoRegisterFileSystem + 59 805A93C2 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!IoRegisterFileSystem + 63 805A93CC 3 Bytes [0E, 56, 80]
PAGE ntoskrnl.exe!IoRegisterFileSystem + 68 805A93D1 3 Bytes [0E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!IoDisconnectInterrupt + 78 805A9615 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!IoDisconnectInterrupt + 84 805A9621 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!IoDisconnectInterrupt + FA 805A9697 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!IoDisconnectInterrupt + 10B 805A96A8 3 Bytes [F2, 55, 80]
PAGE ntoskrnl.exe!IoDisconnectInterrupt + 11A 805A96B7 3 Bytes [F2, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwCreateDirectoryObject + 4 805A976F 3 Bytes [88, 50, 80] {MOV [EAX-0x80], DL}
PAGE ntoskrnl.exe!ZwCreateDirectoryObject + 3D 805A97A8 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!ZwCreateDirectoryObject + C8 805A9833 3 Bytes [9F, 56, 80]
PAGE ntoskrnl.exe!ZwListenPort + 4 805A9B98 3 Bytes [90, 50, 80]
PAGE ntoskrnl.exe!ZwListenPort + 54 805A9BE8 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwListenPort + 67 805A9BFB 3 Bytes [C3, 55, 80]
PAGE ntoskrnl.exe!ZwListenPort + BE 805A9C52 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwListenPort + EC 805A9C80 3 Bytes [AC, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwInitializeRegistry + 37 805A9D5C 3 Bytes [F2, 55, 80]
PAGE ntoskrnl.exe!ZwInitializeRegistry + 44 805A9D69 3 Bytes [F4, 55, 80]
PAGE ntoskrnl.exe!ZwInitializeRegistry + 5A 805A9D7F 3 Bytes [08, 56, 80] {OR [ESI-0x80], DL}
PAGE ntoskrnl.exe!ZwInitializeRegistry + 61 805A9D86 3 Bytes [F3, 55, 80]
PAGE ntoskrnl.exe!ZwInitializeRegistry + 6C 805A9D91 3 Bytes [F3, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwPulseEvent + 4F 805AA4F9 24 Bytes CALL 80515C69 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwPulseEvent + 68 805AA512 10 Bytes CALL 804E2EBB \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwPulseEvent + 73 805AA51D 18 Bytes [80, 8E, 93, 00, 00, 00, 20, ...]
PAGE ntoskrnl.exe!ZwPulseEvent + 86 805AA530 4 Bytes [C6, 86, 96, 00]
PAGE ntoskrnl.exe!ZwPulseEvent + 8B 805AA535 5 Bytes [00, 04, 89, BE, 98]
PAGE ...
PAGE ntoskrnl.exe!ZwCreateWaitablePort + 4B 805AA59D 304 Bytes [4E, F0, 3B, 0D, 58, 0D, 56, ...]
PAGE ntoskrnl.exe!ZwCreateWaitablePort + 17C 805AA6CE 9 Bytes CALL 804DC598 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwCreateWaitablePort + 186 805AA6D8 51 Bytes [75, 10, 6A, 00, 6A, 00, 8D, ...]
PAGE ntoskrnl.exe!ZwCreateWaitablePort + 1BA 805AA70C 12 Bytes [75, 35, 33, C0, 8A, 86, 40, ...] {JNZ 0x37; XOR EAX, EAX; MOV AL, [ESI+0x140]; PUSH 0x0}
PAGE ntoskrnl.exe!ZwCreateWaitablePort + 1C7 805AA719 88 Bytes [75, 14, 50, 6A, 00, 8D, 87, ...]
PAGE ...
PAGE ntoskrnl.exe!IoUnregisterFileSystem + 47 805AA7C4 25 Bytes [6A, 0A, 8D, 57, 04, 59, E8, ...]
PAGE ntoskrnl.exe!IoUnregisterFileSystem + 61 805AA7DE 14 Bytes [50, 0C, EB, CE, 0F, B7, 48, ...]
PAGE ntoskrnl.exe!IoUnregisterFileSystem + 70 805AA7ED 67 Bytes [0F, B6, 48, 0A, 89, 0F, E9, ...]
PAGE ntoskrnl.exe!NtQueryInformationAtom + 20 805AA832 23 Bytes [FC, 64, A1, 24, 01, 00, 00, ...]
PAGE ntoskrnl.exe!NtQueryInformationAtom + 38 805AA84A 46 Bytes [14, 3A, C3, 74, 21, 6A, 04, ...]
PAGE ntoskrnl.exe!NtQueryInformationAtom + 68 805AA87A 2 Bytes [CE, 88]
PAGE ntoskrnl.exe!NtQueryInformationAtom + 6C 805AA87E 33 Bytes [6A, 06, 58, 89, 45, DC, 3B, ...]
PAGE ntoskrnl.exe!NtQueryInformationAtom + 8E 805AA8A0 8 Bytes [E0, 51, 50, 8D, 45, D4, 50, ...]
PAGE ...
PAGE ntoskrnl.exe!IoConnectInterrupt + 11 805AA976 17 Bytes [BA, 55, 80, 23, 45, 2C, 56, ...]
PAGE ntoskrnl.exe!IoConnectInterrupt + 23 805AA988 40 Bytes [A8, 01, 74, 02, FE, C1, D1, ...]
PAGE ntoskrnl.exe!IoConnectInterrupt + 4D 805AA9B2 2 Bytes CALL 80551007 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoConnectInterrupt + 50 805AA9B5 85 Bytes [8B, F0, 85, F6, 0F, 84, DD, ...]
PAGE ntoskrnl.exe!IoConnectInterrupt + A6 805AAA0B 4 Bytes [63, 80, 7D, 17]
PAGE ...
PAGE ntoskrnl.exe!ZwSetSystemInformation + F 805AABD7 5 Bytes [C7, 45, C4, 01, 00]
PAGE ntoskrnl.exe!ZwSetSystemInformation + 15 805AABDD 43 Bytes [00, 33, FF, 89, 7D, E4, 89, ...]
PAGE ntoskrnl.exe!ZwSetSystemInformation + 41 805AAC09 50 Bytes [8B, 45, 08, 83, F8, 27, 0F, ...]
PAGE ntoskrnl.exe!ZwSetSystemInformation + 74 805AAC3C 33 Bytes CALL A5DEBB44
PAGE ntoskrnl.exe!ZwSetSystemInformation + 96 805AAC5E 58 Bytes [8B, 03, 89, 85, 6C, FF, FF, ...]
PAGE ...
PAGE ntoskrnl.exe!IoWMIOpenBlock + 12 805AB290 143 Bytes [5D, 10, 56, 8B, 75, 08, 57, ...]
PAGE ntoskrnl.exe!IoWMIOpenBlock + A2 805AB320 9 Bytes [FF, 51, C7, 85, 78, FF, FF, ...]
PAGE ntoskrnl.exe!IoWMIOpenBlock + AC 805AB32A 19 Bytes [00, 00, 1B, C0, 83, E0, 04, ...]
PAGE ntoskrnl.exe!IoWMIOpenBlock + C0 805AB33E 7 Bytes [02, 00, 00, E8, 94, 4D, 06] {ADD AL, [EAX]; ADD AL, CH; XCHG ESP, EAX; DEC EBP; PUSH ES}
PAGE ntoskrnl.exe!IoWMIOpenBlock + C8 805AB346 22 Bytes [8B, F0, 3B, F7, 7C, 26, 57, ...]
PAGE ...
PAGE ntoskrnl.exe!PsRevertToSelf + 2D 805AB648 20 Bytes [02, 00, 00, F6, 00, 08, 74, ...]
PAGE ntoskrnl.exe!PsRevertToSelf + 42 805AB65D 23 Bytes [18, 6A, 02, 33, C9, 58, F0, ...]
PAGE ntoskrnl.exe!PsRevertToSelf + 5A 805AB675 142 Bytes [00, 75, 0B, 8D, 46, 34, 39, ...]
PAGE ntoskrnl.exe!PsRevertToSelf + E9 805AB704 3 Bytes CALL 805989CB \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PsRevertToSelf + ED 805AB708 7 Bytes [6A, 00, 68, 80, 9F, 56, 80] {PUSH 0x0; PUSH 0x80569f80}
PAGE ...
PAGE ntoskrnl.exe!RtlGetDaclSecurityDescriptor + 4B 805AB962 35 Bytes [0F, 94, C0, 88, 01, 33, C0, ...]
PAGE ntoskrnl.exe!RtlGetDaclSecurityDescriptor + 6F 805AB986 17 Bytes [0F, 84, 47, FF, FF, FF, E9, ...]
PAGE ntoskrnl.exe!RtlGetDaclSecurityDescriptor + 81 805AB998 32 Bytes [55, 8B, EC, 56, 6A, 00, E8, ...]
PAGE ntoskrnl.exe!RtlGetDaclSecurityDescriptor + A2 805AB9B9 23 Bytes [85, C0, 59, 59, 0F, 84, 7A, ...]
PAGE ntoskrnl.exe!RtlGetDaclSecurityDescriptor + BA 805AB9D1 5 Bytes [68, 80, 9F, 56, 80] {PUSH 0x80569f80}
PAGE ...
PAGE ntoskrnl.exe!IoWMIQueryAllData + 1A 805ABB1D 3 Bytes [89, 45, FC] {MOV [EBP-0x4], EAX}
PAGE ntoskrnl.exe!IoWMIQueryAllData + 1E 805ABB21 46 Bytes [07, 0F, 84, 0C, DD, 00, 00, ...]
PAGE ntoskrnl.exe!IoWMIQueryAllData + 4D 805ABB50 16 Bytes CALL 805A4998 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoWMIQueryAllData + 5E 805ABB61 12 Bytes [85, 40, 32, 06, 00, F6, C1, ...]
PAGE ntoskrnl.exe!IoWMIQueryAllData + 6B 805ABB6E 16 Bytes [00, 8B, 4D, B0, 89, 0F, 8D, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlAddAccessAllowedAceEx + 7 805ABD8E 14 Bytes [FF, 75, 18, FF, 75, 14, FF, ...]
PAGE ntoskrnl.exe!RtlAddAccessAllowedAceEx + 16 805ABD9D 4 Bytes CALL 805DFC72 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlAddAccessAllowedAceEx + 1B 805ABDA2 3 Bytes [5D, C2, 14]
PAGE ntoskrnl.exe!RtlAddAccessAllowedAceEx + 1F 805ABDA6 11 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
PAGE ntoskrnl.exe!IoWMISetNotificationCallback + 7 805ABDB2 37 Bytes CALL 80514E5D \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoWMISetNotificationCallback + 2D 805ABDD8 232 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
PAGE ntoskrnl.exe!RtlValidRelativeSecurityDescriptor + AD 805ABEC1 41 Bytes [3B, F7, 76, 2F, 8B, 4D, 08, ...]
PAGE ntoskrnl.exe!RtlValidRelativeSecurityDescriptor + D7 805ABEEB 85 Bytes [00, 89, 11, 83, C1, 08, 4E, ...]
PAGE ntoskrnl.exe!RtlValidRelativeSecurityDescriptor + 12D 805ABF41 63 Bytes [F9, FF, 74, 4D, 8B, 45, 08, ...]
PAGE ntoskrnl.exe!RtlValidRelativeSecurityDescriptor + 16D 805ABF81 28 Bytes [85, 3D, 45, 06, 00, 33, D2, ...]
PAGE ntoskrnl.exe!RtlValidRelativeSecurityDescriptor + 18A 805ABF9E 37 Bytes [4D, F8, 33, DB, 39, 5D, 0C, ...]
PAGE ...
PAGE ntoskrnl.exe!ExRaiseHardError + 17 805AC78D 51 Bytes [5D, 14, 56, 33, F6, 3B, DE, ...]
PAGE ntoskrnl.exe!ExRaiseHardError + 4B 805AC7C1 7 Bytes [14, 8B, 8B, 3A, 8B, 52, 04] {ADC AL, 0x8b; MOV EDI, [EDX]; MOV EDX, [EDX+0x4]}
PAGE ntoskrnl.exe!ExRaiseHardError + 53 805AC7C9 79 Bytes [7C, CD, BC, 89, 54, CD, C0, ...]
PAGE ntoskrnl.exe!ExRaiseHardError + A3 805AC819 8 Bytes [45, F4, 8D, 45, C0, 29, 45, ...] {INC EBP; HLT ; LEA EAX, [EBP-0x40]; SUB [EBP-0xc], EAX}
PAGE ntoskrnl.exe!ExRaiseHardError + AC 805AC822 15 Bytes [55, 10, 33, C0, 40, D3, E0, ...] {PUSH EBP; ADC [EBX], DH; ROL BYTE [EAX-0x2d], 0xe0; TEST EDX, EAX; JZ 0xb3}
PAGE ...
PAGE ntoskrnl.exe!Ke386CallBios + F 805AD50D 26 Bytes [01, 00, 33, D2, 89, 55, FC, ...]
PAGE ntoskrnl.exe!Ke386CallBios + 2A 805AD528 3 Bytes [01, 00, 89]
PAGE ntoskrnl.exe!Ke386CallBios + 2E 805AD52C 8 Bytes [E0, 8A, 4D, 08, 88, 08, 40, ...]
PAGE ntoskrnl.exe!Ke386CallBios + 37 805AD535 2 Bytes [E0, C7] {LOOPNZ 0xffffffffffffffc9}
PAGE ntoskrnl.exe!Ke386CallBios + 3A 805AD538 8 Bytes [C4, C4, FE, 00, BB, 00, 20, ...]
PAGE ...
PAGE ntoskrnl.exe!NtVdmControl + 6 805AD70C 23 Bytes CALL 804E2E82 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtVdmControl + 1E 805AD724 37 Bytes [8B, 40, 44, F6, 80, 4B, 02, ...]
PAGE ntoskrnl.exe!NtVdmControl + 44 805AD74A 5 Bytes [0F, 84, B4, 10, 06]
PAGE ntoskrnl.exe!NtVdmControl + 4A 805AD750 33 Bytes CALL 805AD79B \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtVdmControl + 6C 805AD772 21 Bytes [00, 00, 89, 45, E4, 83, 4D, ...]
PAGE ...
PAGE ntoskrnl.exe!PoRequestShutdownEvent + 42 805ADF6C 8 Bytes [00, 00, 40, 0F, 85, A6, B9, ...]
PAGE ntoskrnl.exe!PoRequestShutdownEvent + 4B 805ADF75 37 Bytes [89, 5D, 0C, 89, 5D, 08, E9, ...]
PAGE ntoskrnl.exe!PoRequestShutdownEvent + 71 805ADF9B 119 Bytes [8B, 4D, 08, 3B, C8, 0F, 85, ...]
PAGE ntoskrnl.exe!PoRequestShutdownEvent + E9 805AE013 80 Bytes [C7, 45, E0, 78, 00, 00, C0, ...]
PAGE ntoskrnl.exe!PoRequestShutdownEvent + 13A 805AE064 8 Bytes JMP 8057390B \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!ZwLockVirtualMemory + 37 805AE10C 15 Bytes [89, 45, AC, 8A, 80, 40, 01, ...] {MOV [EBP-0x54], EAX; MOV AL, [EAX+0x140]; MOV [EBP-0x40], AL; MOV [EBP-0x4], EBX}
PAGE ntoskrnl.exe!ZwLockVirtualMemory + 48 805AE11D 43 Bytes [8B, 45, 0C, 0F, 84, 8F, 01, ...]
PAGE ntoskrnl.exe!ZwLockVirtualMemory + 75 805AE14A 4 Bytes [0A, 89, 0A, 8B]
PAGE ntoskrnl.exe!ZwLockVirtualMemory + 7A 805AE14F 94 Bytes [89, 4D, D8, 8B, 3A, 89, 7D, ...]
PAGE ntoskrnl.exe!ZwLockVirtualMemory + D9 805AE1AE 49 Bytes [00, 83, 7D, 08, FF, 0F, 85, ...]
PAGE ...
PAGE ntoskrnl.exe!IoQueryDeviceDescription + 19 805AE448 53 Bytes [65, F4, 00, 89, 45, D4, 8B, ...]
PAGE ntoskrnl.exe!IoQueryDeviceDescription + 4F 805AE47E 10 Bytes [00, 6A, 01, 89, 45, F0, 66, ...]
PAGE ntoskrnl.exe!IoQueryDeviceDescription + 5A 805AE489 5 Bytes [08, E8, 76, 2B, FA] {OR AL, CH; JBE 0x2f; CLI }
PAGE ntoskrnl.exe!IoQueryDeviceDescription + 60 805AE48F 13 Bytes [85, C0, 89, 45, F8, 0F, 84, ...]
PAGE ntoskrnl.exe!IoQueryDeviceDescription + 6E 805AE49D 42 Bytes [B2, 69, 80, 8D, 45, F4, 50, ...]
PAGE ...
PAGE ntoskrnl.exe!IoCreateDriver + B 805AF2A9 53 Bytes [A1, 60, A3, 55, 80, 8B, 4D, ...]
PAGE ntoskrnl.exe!IoCreateDriver + 41 805AF2DF 17 Bytes [85, 58, FF, FF, FF, 8D, 85, ...]
PAGE ntoskrnl.exe!IoCreateDriver + 53 805AF2F1 23 Bytes [00, 53, 53, 8D, 85, 50, FF, ...]
PAGE ntoskrnl.exe!IoCreateDriver + 6B 805AF309 65 Bytes [00, 00, 53, 89, 9D, 54, FF, ...]
PAGE ntoskrnl.exe!IoCreateDriver + AE 805AF34C 118 Bytes [89, 43, 18, 89, 18, 58, 66, ...]
PAGE ...

PAGE ntoskrnl.exe!IoWMIQuerySingleInstance + 55 805AF967 6 Bytes [00, 00, 89, 73, 38, 66]
PAGE ntoskrnl.exe!IoWMIQuerySingleInstance + 5C 805AF96E 2 Bytes [08, 66]
PAGE ntoskrnl.exe!IoWMIQuerySingleInstance + 5F 805AF971 68 Bytes [4B, 40, 0F, B7, 08, 8B, 70, ...]
PAGE ntoskrnl.exe!IoWMIQuerySingleInstance + A4 805AF9B6 20 Bytes [1F, 8B, 43, 30, 89, 01, BE, ...]
PAGE ntoskrnl.exe!IoWMIQuerySingleInstance + B9 805AF9CB 154 Bytes [FA, FF, 5F, 8B, C6, 5E, 5B, ...]
PAGE ...
PAGE ntoskrnl.exe!LdrFindResourceDirectory_U 805AFC0F 10 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH DWORD [EBP+0x14]; PUSH 0x2}
PAGE ntoskrnl.exe!LdrFindResourceDirectory_U + B 805AFC1A 74 Bytes [75, 10, FF, 75, 0C, FF, 75, ...]
PAGE ntoskrnl.exe!LdrFindResourceDirectory_U + 56 805AFC65 49 Bytes [7A, 56, 80, 57, 89, 55, FC, ...]
PAGE ntoskrnl.exe!LdrFindResourceDirectory_U + 88 805AFC97 35 Bytes [49, 10, 89, 48, 08, 8B, 0A, ...]
PAGE ntoskrnl.exe!LdrFindResourceDirectory_U + AC 805AFCBB 80 Bytes [83, C1, 03, 83, E1, FC, 01, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwSetDefaultHardErrorPort + 65 805AFDC6 329 Bytes [4D, 08, 89, 0D, 24, A5, 56, ...]
PAGE ntoskrnl.exe!ZwSetDefaultHardErrorPort + 1AF 805AFF10 30 Bytes [C7, 45, E0, 52, 00, 5B, 80, ...]
PAGE ntoskrnl.exe!ZwSetDefaultHardErrorPort + 1CE 805AFF2F 28 Bytes CALL 0D5D6984
PAGE ntoskrnl.exe!ZwSetDefaultHardErrorPort + 1EB 805AFF4C 21 Bytes [C8, 83, 7B, 04, 01, 0F, 85, ...]
PAGE ntoskrnl.exe!ZwSetDefaultHardErrorPort + 201 805AFF62 39 Bytes [85, C0, 89, 45, E4, 0F, 84, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlWriteRegistryValue + 18 805B039F 23 Bytes [85, C0, 7C, 37, 56, FF, 75, ...]
PAGE ntoskrnl.exe!RtlWriteRegistryValue + 30 805B03B7 44 Bytes [75, 18, FF, 75, 14, 6A, 00, ...]
PAGE ntoskrnl.exe!RtlWriteRegistryValue + 5D 805B03E4 106 Bytes JMP 80595BCA \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!KeQueryActiveProcessors + 61 805B0450 33 Bytes CALL 804EA438 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwCreateProcess + 2 805B0472 9 Bytes [55, 8B, EC, 33, C0, F6, 45, ...] {PUSH EBP; MOV EBP, ESP; XOR EAX, EAX; TEST BYTE [EBP+0x1c], 0x1}
PAGE ntoskrnl.exe!ZwCreateProcess + C 805B047C 4 Bytes [85, A7, 4C, 05]
PAGE ntoskrnl.exe!ZwCreateProcess + 11 805B0481 19 Bytes [F6, 45, 20, 01, 0F, 85, A3, ...]
PAGE ntoskrnl.exe!ZwCreateProcess + 25 805B0495 1 Byte [6A]
PAGE ntoskrnl.exe!ZwCreateProcess + 25 805B0495 166 Bytes [6A, 00, FF, 75, 24, FF, 75, ...]
PAGE ntoskrnl.exe!RtlPrefixString + 63 805B053C 9 Bytes [46, 2C, 50, 8D, 85, CC, FE, ...] {INC ESI; SUB AL, 0x50; LEA EAX, [EBP-0x134]}
PAGE ntoskrnl.exe!RtlPrefixString + 6D 805B0546 4 Bytes CALL 805B04D9 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlPrefixString + 72 805B054B 32 Bytes [84, C0, 75, 18, 8B, 36, 3B, ...]
PAGE ntoskrnl.exe!RtlPrefixString + 94 805B056D 23 Bytes [50, 6A, 00, 57, FF, 76, 18, ...]
PAGE ntoskrnl.exe!RtlPrefixString + AC 805B0585 66 Bytes [00, 00, 0F, B7, 85, E4, FE, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlCheckRegistryKey + 3B 805B0780 13 Bytes [8B, 06, 89, 06, 83, 4D, FC, ...] {MOV EAX, [ESI]; MOV [ESI], EAX; OR DWORD [EBP-0x4], -0x1; JMP 0xffffffffffff9013}
PAGE ntoskrnl.exe!RtlCheckRegistryKey + 49 805B078E 53 Bytes JMP 0C568909
PAGE ntoskrnl.exe!RtlCheckRegistryKey + 7F 805B07C4 31 Bytes JMP 805ACB8E \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlCheckRegistryKey + 9F 805B07E4 45 Bytes [03, CB, 3B, C8, 0F, 86, 1F, ...]
PAGE ntoskrnl.exe!RtlCheckRegistryKey + CD 805B0812 78 Bytes JMP 805D8F2F \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoInitializeRemoveLockEx + 36 805B0861 38 Bytes [5E, 5B, 5D, C2, 14, 00, B8, ...]
PAGE ntoskrnl.exe!IoInitializeRemoveLockEx + 5D 805B0888 116 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
PAGE ntoskrnl.exe!RtlCreateRegistryKey + 70 805B08FD 69 Bytes [55, 0C, 66, 8B, 02, 8B, 72, ...]
PAGE ntoskrnl.exe!RtlCreateRegistryKey + B6 805B0943 17 Bytes CALL 805A4264 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlCreateRegistryKey + C8 805B0955 59 Bytes CALL 805511E2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlCreateRegistryKey + 104 805B0991 44 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
PAGE ntoskrnl.exe!RtlCreateRegistryKey + 131 805B09BE 151 Bytes [48, 24, 03, 4D, 08, 8B, 50, ...]
PAGE ...
PAGE ntoskrnl.exe!ExInitializePagedLookasideList + 47 805B0B08 149 Bytes [C7, 40, 28, 05, 10, 55, 80, ...]
PAGE ntoskrnl.exe!ExInitializePagedLookasideList + DD 805B0B9E 1 Byte [69]
PAGE ntoskrnl.exe!ExInitializePagedLookasideList + DD 805B0B9E 9 Bytes [69, 00, 63, 00, 73, 00, 00, ...]
PAGE ntoskrnl.exe!ExInitializePagedLookasideList + E7 805B0BA8 108 Bytes [F6, C4, 08, 74, 79, FF, 75, ...]
PAGE ntoskrnl.exe!ExInitializePagedLookasideList + 156 805B0C17 28 Bytes [8B, 03, 3B, 05, 50, 83, 4D, ...]
PAGE ...
PAGE ntoskrnl.exe!IoSynchronousInvalidateDeviceRelations + C 805B0CD4 42 Bytes [82, B0, 00, 00, 00, 8B, 40, ...]
PAGE ntoskrnl.exe!IoSynchronousInvalidateDeviceRelations + 37 805B0CFF 40 Bytes [38, 1D, 97, 14, 56, 80, 74, ...]
PAGE ntoskrnl.exe!IoSynchronousInvalidateDeviceRelations + 60 805B0D28 31 Bytes [F2, 04, 89, 5D, F4, E8, DB, ...]
PAGE ntoskrnl.exe!IoSynchronousInvalidateDeviceRelations + 80 805B0D48 56 Bytes [C6, 5E, 5B, C9, C2, 08, 00, ...]
PAGE ntoskrnl.exe!IoCreateNotificationEvent + 26 805B0D81 1 Byte [00]
PAGE ntoskrnl.exe!IoCreateNotificationEvent + 26 805B0D81 4 Bytes [00, 00, 89, 75]
PAGE ntoskrnl.exe!IoCreateNotificationEvent + 2B 805B0D86 28 Bytes [C7, 45, F0, 80, 02, 00, 00, ...]
PAGE ntoskrnl.exe!IoCreateNotificationEvent + 48 805B0DA3 10 Bytes [FC, 50, 56, FF, 35, 40, A9, ...] {CLD ; PUSH EAX; PUSH ESI; PUSH DWORD [0x8056a940]; PUSH ESI}
PAGE ntoskrnl.exe!IoCreateNotificationEvent + 53 805B0DAE 15 Bytes CALL 8056C557 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!MmIsVerifierEnabled + 2 805B267D 9 Bytes [55, 8B, EC, 83, 3D, B0, 77, ...]
PAGE ntoskrnl.exe!MmIsVerifierEnabled + D 805B2688 144 Bytes [45, 08, 0F, 85, 1F, 7E, 04, ...]
PAGE ntoskrnl.exe!MmIsVerifierEnabled + 9E 805B2719 138 Bytes [46, 38, 74, 0B, 53, 8D, 48, ...]
PAGE ntoskrnl.exe!MmIsVerifierEnabled + 129 805B27A4 15 Bytes [5D, C2, 08, 00, C6, 85, 2B, ...]
PAGE ntoskrnl.exe!MmIsVerifierEnabled + 139 805B27B4 6 Bytes [90, 90, 90, 90, 90, 8B]
PAGE ...
PAGE ntoskrnl.exe!LdrFindResource_U + A 805B27FC 3 Bytes [FF, 75, 10] {PUSH DWORD [EBP+0x10]}
PAGE ntoskrnl.exe!LdrFindResource_U + E 805B2800 22 Bytes [75, 0C, FF, 75, 08, E8, 09, ...]
PAGE ntoskrnl.exe!LdrFindResource_U + 25 805B2817 45 Bytes [FF, C7, 45, 08, 34, 00, 00, ...]
PAGE ntoskrnl.exe!LdrFindResource_U + 53 805B2845 26 Bytes JMP 80577A34 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!LdrFindResource_U + 6E 805B2860 101 Bytes [56, 57, 89, 45, FC, E8, 39, ...]
PAGE ...
PAGE ntoskrnl.exe!KeAddSystemServiceTable + 32 805B302B 23 Bytes [7D, 14, 89, 11, 8B, 4D, 0C, ...]
PAGE ntoskrnl.exe!KeAddSystemServiceTable + 4A 805B3043 51 Bytes [80, 0F, 85, 94, 5F, 04, 00, ...]
PAGE ntoskrnl.exe!KeAddSystemServiceTable + 7E 805B3077 53 Bytes [BE, A0, 30, 5B, 80, 05, 00, ...]
PAGE ntoskrnl.exe!KeAddSystemServiceTable + B4 805B30AD 30 Bytes [00, 00, 00, 90, 90, 90, 90, ...]
PAGE ntoskrnl.exe!KeAddSystemServiceTable + D3 805B30CC 7 Bytes [00, C0, 0F, 85, B2, 1E, 00]
PAGE ...
PAGE ntoskrnl.exe!PsEstablishWin32Callouts + 1C 805B3567 7 Bytes [89, 0D, E4, A4, 56, 80, 8B]
PAGE ntoskrnl.exe!PsEstablishWin32Callouts + 24 805B356F 169 Bytes [18, 89, 0D, 68, 25, 56, 80, ...]
PAGE ntoskrnl.exe!PsEstablishWin32Callouts + CE 805B3619 30 Bytes [75, E4, FF, 35, 58, 97, 56, ...]
PAGE ntoskrnl.exe!PsEstablishWin32Callouts + EE 805B3639 87 Bytes CALL 8050C783 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PsSetLegoNotifyRoutine + 2F 805B3691 54 Bytes [85, C0, 0F, 8C, BE, 28, FE, ...]
PAGE ntoskrnl.exe!PsSetLegoNotifyRoutine + 66 805B36C8 2 Bytes [50, 2C]
PAGE ntoskrnl.exe!PsSetLegoNotifyRoutine + 69 805B36CB 3 Bytes JMP 805B0B22 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PsSetLegoNotifyRoutine + 6D 805B36CF 30 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
PAGE ntoskrnl.exe!PsSetLegoNotifyRoutine + 8C 805B36EE 36 Bytes [DC, 8D, 45, FC, 50, 6A, 03, ...]
PAGE ...
PAGE ntoskrnl.exe!IoInitializeCrashDump + 11 805B4738 16 Bytes [00, 84, C0, 0F, 84, CC, 00, ...]
PAGE ntoskrnl.exe!IoInitializeCrashDump + 22 805B4749 2 Bytes [3B, C7] {CMP EAX, EDI}
PAGE ntoskrnl.exe!IoInitializeCrashDump + 26 805B474D 3 Bytes [BB, 00, 00]
PAGE ntoskrnl.exe!IoInitializeCrashDump + 2A 805B4751 31 Bytes [F6, 40, 01, 03, 0F, 84, B1, ...]
PAGE ntoskrnl.exe!IoInitializeCrashDump + 4A 805B4771 6 Bytes [3B, C7, 0F, 8C, 93, AB]
PAGE ...
PAGE ntoskrnl.exe!ZwCreatePagingFile + 3A 805B4865 1 Byte [B8]
PAGE ntoskrnl.exe!ZwCreatePagingFile + 3D 805B4868 4 Bytes [B4, AC, 69, 80]
PAGE ntoskrnl.exe!ZwCreatePagingFile + 43 805B486E 4 Bytes [B0, AC, 69, 80]
PAGE ntoskrnl.exe!ZwCreatePagingFile + 49 805B4874 2 Bytes CALL 805815F6 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwCreatePagingFile + 50 805B487B 3 Bytes [13, 6D, 04] {ADC EBP, [EBP+0x4]}
PAGE ...
PAGE ntoskrnl.exe!IoQueryVolumeInformation + 23 805B537D 6 Bytes [51, 04, 89, 08, 89, 50]
PAGE ntoskrnl.exe!IoQueryVolumeInformation + 2A 805B5384 208 Bytes [89, 02, 89, 41, 04, E9, 31, ...]
PAGE ntoskrnl.exe!IoQueryVolumeInformation + FB 805B5455 15 Bytes [00, 00, 50, 68, 8C, 00, 00, ...] {ADD [EAX], AL; PUSH EAX; PUSH 0x4000008c; CALL 0xfffffffffff57a12; TEST AL, AL}
PAGE ntoskrnl.exe!IoQueryVolumeInformation + 10B 805B5465 15 Bytes [84, DE, F1, FF, FF, 8D, 83, ...]
PAGE ntoskrnl.exe!IoQueryVolumeInformation + 11B 805B5475 52 Bytes CALL 8050CE66 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!IoRegisterShutdownNotification + 10 805B5B70 7 Bytes [91, B4, F9, FF, 8B, F8, 85]
PAGE ntoskrnl.exe!IoRegisterShutdownNotification + 18 805B5B78 31 Bytes [0F, 84, 74, 8D, 03, 00, 56, ...]
PAGE ntoskrnl.exe!IoRegisterShutdownNotification + 38 805B5B98 103 Bytes [80, 4E, 1D, 08, 33, C0, 5E, ...]
PAGE ntoskrnl.exe!IoRegisterShutdownNotification + A0 805B5C00 41 Bytes [8D, 45, F0, 33, DB, 57, 88, ...]
PAGE ntoskrnl.exe!IoRegisterShutdownNotification + CA 805B5C2A 36 Bytes [F0, 3B, F3, 0F, 84, FB, 5D, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwDisplayString + 15 805B5CF5 37 Bytes [00, 8A, 80, 40, 01, 00, 00, ...]
PAGE ntoskrnl.exe!ZwDisplayString + 3B 805B5D1B 28 Bytes [8B, 75, 08, 80, 7D, E4, 00, ...]
PAGE ntoskrnl.exe!ZwDisplayString + 58 805B5D38 72 Bytes [8B, 0E, 89, 4D, C0, 8B, 76, ...]
PAGE ntoskrnl.exe!ZwDisplayString + A1 805B5D81 3 Bytes CALL 80551006 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwDisplayString + A5 805B5D85 64 Bytes [8B, D8, 89, 5D, E0, 3B, DF, ...]
PAGE ...
PAGE ntoskrnl.exe!ExCreateCallback + 1E 805B5FFF 24 Bytes [53, 53, 53, 53, FF, 35, F8, ...]
PAGE ntoskrnl.exe!ExCreateCallback + 37 805B6018 103 Bytes [00, 53, 8D, 45, 10, 50, 53, ...]
PAGE ntoskrnl.exe!ExCreateCallback + 9F 805B6080 123 Bytes [8B, 08, 81, C1, 94, 00, 00, ...]
PAGE ntoskrnl.exe!ExCreateCallback + 11B 805B60FC 81 Bytes [35, F8, A9, 56, 80, 53, E8, ...]
PAGE ntoskrnl.exe!ExCreateCallback + 16D 805B614E 192 Bytes [FF, BF, 01, 00, 00, C0, E9, ...]
PAGE ntoskrnl.exe!RtlGetGroupSecurityDescriptor + 3A 805B620F 36 Bytes [39, 7D, 0C, 0F, 8C, 9A, 4B, ...]
PAGE ntoskrnl.exe!RtlGetGroupSecurityDescriptor + 5F 805B6234 55 Bytes JMP 8057ADB0 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!FsRtlBalanceReads + 2C 805B626C 19 Bytes JMP EC5D8904
PAGE ntoskrnl.exe!FsRtlBalanceReads + 40 805B6280 13 Bytes [8B, 4D, 08, 8B, D0, E8, 1D, ...]
PAGE ntoskrnl.exe!FsRtlBalanceReads + 4E 805B628E 23 Bytes [00, 75, 10, 53, 53, 53, 53, ...]
PAGE ntoskrnl.exe!FsRtlBalanceReads + 66 805B62A6 41 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
PAGE ntoskrnl.exe!FsRtlBalanceReads + 90 805B62D0 11 Bytes [89, 75, B8, 0F, 84, D5, E0, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlFreeRangeList + 50 805B6640 73 Bytes [EE, 1C, 8D, 56, 1C, 3B, CA, ...]
PAGE ntoskrnl.exe!RtlFreeRangeList + 9A 805B668A 139 Bytes [C4, 8B, 45, FC, EB, 36, 90, ...]
PAGE ntoskrnl.exe!RtlCopyRangeList + 44 805B6716 44 Bytes [8B, 4E, 04, 83, C0, 1C, 89, ...]
PAGE ntoskrnl.exe!RtlCopyRangeList + 71 805B6743 26 Bytes [FC, 00, 80, 62, 19, FD, 56, ...]
PAGE ntoskrnl.exe!RtlCopyRangeList + 8C 805B675E 51 Bytes [8B, 41, 04, 39, 42, 0C, 72, ...]
PAGE ntoskrnl.exe!RtlCopyRangeList + C1 805B6793 67 Bytes [72, 0A, 8B, 02, 39, 01, 0F, ...]
PAGE ntoskrnl.exe!RtlCopyRangeList + 105 805B67D7 15 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlDeleteOwnersRanges + 37 805B6909 40 Bytes [CF, 8B, 7F, 1C, EB, DA, 51, ...]
PAGE ntoskrnl.exe!RtlDeleteOwnersRanges + 60 805B6932 75 Bytes JMP 80597DEB \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlDeleteOwnersRanges + AC 805B697E 17 Bytes [6A, 01, 56, FF, 75, 10, 8D, ...]
PAGE ntoskrnl.exe!RtlDeleteOwnersRanges + BE 805B6990 19 Bytes [FF, 75, 08, 8B, F8, E8, DC, ...]
PAGE ntoskrnl.exe!RtlDeleteOwnersRanges + D2 805B69A4 5 Bytes [0F, 84, 71, D1, 03]
PAGE ...
PAGE ntoskrnl.exe!IoReportResourceUsage + 2 805B7579 135 Bytes [55, 8B, EC, 53, 56, 8B, 75, ...]
PAGE ntoskrnl.exe!IoReportResourceUsage + 8B 805B7602 106 Bytes CALL 805511E2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoReportResourceUsage + F6 805B766D 10 Bytes [90, 89, 45, 98, 89, 5D, 8C, ...] {NOP ; MOV [EBP-0x68], EAX; MOV [EBP-0x74], EBX; MOV [EBP-0x21], BL}
PAGE ntoskrnl.exe!IoReportResourceUsage + 102 805B7679 3 Bytes [91, D3, 03] {XCHG ECX, EAX; ROL DWORD [EBX], CL}
PAGE ntoskrnl.exe!IoReportResourceUsage + 106 805B767D 31 Bytes [BF, 3F, 00, 0F, 00, 57, 68, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlInitializeUnicodePrefix + 64 805B7EA5 6 Bytes [11, 8B, 49, 04, 89, 11] {ADC [EBX+0x11890449], ECX}
PAGE ntoskrnl.exe!RtlInitializeUnicodePrefix + 6B 805B7EAC 287 Bytes [01, 89, 4A, 04, 80, 60, 19, ...]
PAGE ntoskrnl.exe!IoReportResourceForDetection + 70 805B7FCD 5 Bytes CALL 804E45CE \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoReportResourceForDetection + 76 805B7FD3 28 Bytes [45, C0, 50, 68, C8, 82, 5B, ...]
PAGE ntoskrnl.exe!IoReportResourceForDetection + 93 805B7FF0 3 Bytes [8B, 45, C0] {MOV EAX, [EBP-0x40]}
PAGE ntoskrnl.exe!IoReportResourceForDetection + 97 805B7FF4 120 Bytes [78, 04, 75, 0E, 39, 78, 0C, ...]
PAGE ntoskrnl.exe!IoReportResourceForDetection + 110 805B806D 5 Bytes [3B, C6, 89, 45, 94] {CMP EAX, ESI; MOV [EBP-0x6c], EAX}
PAGE ...
PAGE ntoskrnl.exe!IoReadPartitionTable + B 805B8C59 7 Bytes [83, 4D, F4, FF, 56, 57, B8]
PAGE ntoskrnl.exe!IoReadPartitionTable + 13 805B8C61 13 Bytes [08, 00, 00, BF, 46, 73, 74, ...] {OR [EAX], AL; ADD [EDI+0x62747346], BH; PUSH EDI; PUSH EAX; XOR ESI, ESI; PUSH ESI}
PAGE ntoskrnl.exe!IoReadPartitionTable + 21 805B8C6F 43 Bytes [55, D8, 89, 4D, C8, 89, 45, ...]
PAGE ntoskrnl.exe!IoReadPartitionTable + 4D 805B8C9B 18 Bytes [02, 00, 00, 3B, C3, 89, 45, ...]
PAGE ntoskrnl.exe!IoReadPartitionTable + 60 805B8CAE 20 Bytes [C8, 8D, 45, DC, 50, 6A, 55, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlSelfRelativeToAbsoluteSD + 3A 805B8F1D 3 Bytes CALL 805B8E04 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlSelfRelativeToAbsoluteSD + 3E 805B8F21 135 Bytes [8B, 45, 10, 8B, 55, 30, 8B, ...]
PAGE ntoskrnl.exe!RtlSelfRelativeToAbsoluteSD + C6 805B8FA9 31 Bytes [89, 7E, 04, 8B, 45, E8, 3B, ...]
PAGE ntoskrnl.exe!RtlSelfRelativeToAbsoluteSD + E6 805B8FC9 46 Bytes [83, C4, 0C, 89, 7E, 08, 8B, ...]
PAGE ntoskrnl.exe!RtlSelfRelativeToAbsoluteSD + 115 805B8FF8 39 Bytes [5F, 5E, 5B, C9, C2, 2C, 00, ...]
PAGE ...
PAGE ntoskrnl.exe!IoAssignDriveLetters + 9 805BAA06 1 Byte [00]
PAGE ntoskrnl.exe!IoAssignDriveLetters + 9 805BAA06 193 Bytes [00, 00, A1, 60, A3, 55, 80, ...]
PAGE ntoskrnl.exe!IoAssignDriveLetters + CB 805BAAC8 51 Bytes CALL 804DA26C \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoAssignDriveLetters + FF 805BAAFC 34 Bytes [2C, FF, FF, FF, 50, 68, 01, ...]
PAGE ntoskrnl.exe!IoAssignDriveLetters + 122 805BAB1F 12 Bytes [38, FF, FF, FF, 40, 00, 00, ...]
PAGE ...
PAGE ntoskrnl.exe!MmGetSystemRoutineAddress + 45 805BB0FD 5 Bytes [64, A1, 24, 01, 00]
PAGE ntoskrnl.exe!MmGetSystemRoutineAddress + 4B 805BB103 92 Bytes [6A, 01, 8B, F8, FF, 8F, D4, ...]
PAGE ntoskrnl.exe!MmGetSystemRoutineAddress + A8 805BB160 1 Byte [74]
PAGE ntoskrnl.exe!MmGetSystemRoutineAddress + A8 805BB160 3 Bytes [74, 00, 6F] {JZ 0x2; OUTSD }
PAGE ntoskrnl.exe!MmGetSystemRoutineAddress + AC 805BB164 7 Bytes [73, 00, 6B, 00, 72, 00, 6E]
PAGE ...
PAGE ntoskrnl.exe!RtlAbsoluteToSelfRelativeSD + 38 805BB70C 83 Bytes [00, 00, 8B, F9, 89, 55, 14, ...]
PAGE ntoskrnl.exe!RtlAbsoluteToSelfRelativeSD + 8C 805BB760 3 Bytes [39, 55, 14] {CMP [EBP+0x14], EDX}
PAGE ntoskrnl.exe!RtlAbsoluteToSelfRelativeSD + 90 805BB764 49 Bytes [91, 8D, 46, 10, 50, E8, 41, ...]
PAGE ntoskrnl.exe!RtlAbsoluteToSelfRelativeSD + C2 805BB796 97 Bytes [FC, 8B, 54, CE, 40, 89, 44, ...]
PAGE ntoskrnl.exe!RtlAbsoluteToSelfRelativeSD + 124 805BB7F8 3 Bytes [3A, 53, 05] {CMP DL, [EBX+0x5]}
PAGE ...
PAGE ntoskrnl.exe!RtlAddRange + 4A 805BC1A5 1 Byte [A5]
PAGE ntoskrnl.exe!RtlAddRange + 4A 805BC1A5 3 Bytes CALL 805B673A \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlAddRange + 4E 805BC1A9 32 Bytes [D8, 85, DB, 0F, 8C, 44, B2, ...]
PAGE ntoskrnl.exe!RtlAddRange + 6F 805BC1CA 46 Bytes [00, C0, EB, EF, 80, FA, F0, ...]
PAGE ntoskrnl.exe!RtlAddRange + 9F 805BC1FA 83 Bytes [57, 8B, 78, 14, 8B, 47, 1C, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlFindRange + F 805BC5A7 26 Bytes [18, 57, 8B, 7D, 14, 48, 33, ...]
PAGE ntoskrnl.exe!RtlFindRange + 2A 805BC5C2 45 Bytes [2B, F8, 1B, DA, 8B, 55, 10, ...]
PAGE ntoskrnl.exe!RtlFindRange + 59 805BC5F1 51 Bytes [77, 0C, 8B, 4D, 1C, 49, 3B, ...]
PAGE ntoskrnl.exe!RtlFindRange + 8D 805BC625 85 Bytes [77, 09, 3B, 7D, 0C, 0F, 82, ...]
PAGE ntoskrnl.exe!RtlFindRange + E3 805BC67B 6 Bytes [2C, 6A, 00, FF, 75, 24] {SUB AL, 0x6a; ADD BH, BH; JNZ 0x2a}
PAGE ...
PAGE ntoskrnl.exe!RtlDeleteRegistryValue + 9B 805BD03C 22 Bytes [00, 00, 89, 59, 1C, 89, 41, ...]
PAGE ntoskrnl.exe!RtlDeleteRegistryValue + B2 805BD053 47 Bytes [55, 8B, EC, 51, 51, 53, 56, ...]
PAGE ntoskrnl.exe!RtlDeleteRegistryValue + E2 805BD083 82 Bytes [0F, 84, 47, 6F, 03, 00, 49, ...]
PAGE ntoskrnl.exe!RtlDeleteRegistryValue + 135 805BD0D6 23 Bytes [33, C9, 41, 89, 4E, 1C, 66, ...]
PAGE ntoskrnl.exe!RtlDeleteRegistryValue + 14D 805BD0EE 2 Bytes [5E, 10]
PAGE ...
PAGE ntoskrnl.exe!IoGetDmaAdapter + 21 805BDEA6 20 Bytes [8B, 40, 14, 3B, C3, 0F, 84, ...]
PAGE ntoskrnl.exe!IoGetDmaAdapter + 36 805BDEBB 143 Bytes [8B, 75, 0C, 8B, 46, 14, 83, ...]
PAGE ntoskrnl.exe!IoGetDmaAdapter + C7 805BDF4C 148 Bytes [81, FF, 03, 01, 00, 00, 0F, ...]
PAGE ntoskrnl.exe!IoGetDmaAdapter + 15C 805BDFE1 8 Bytes JMP 1BCEEB28
PAGE ntoskrnl.exe!IoGetDmaAdapter + 165 805BDFEA 45 Bytes JMP 805BDBA1 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!IoForwardAndCatchIrp + 60 805BF8E0 1 Byte [00]
PAGE ntoskrnl.exe!IoForwardAndCatchIrp + 60 805BF8E0 6 Bytes [00, 0F, 84, 46, 2C, 03]
PAGE ntoskrnl.exe!IoForwardAndCatchIrp + 67 805BF8E7 3 Bytes [5F, 5E, B0]
PAGE ntoskrnl.exe!IoForwardAndCatchIrp + 6B 805BF8EB 32 Bytes [5B, C9, C2, 08, 00, FF, 45, ...]
PAGE ntoskrnl.exe!IoForwardAndCatchIrp + 8D 805BF90D 3 Bytes [1D, 0A, FE]
PAGE ...
PAGE ntoskrnl.exe!MmUnmapVideoDisplay + 37 805BFC49 40 Bytes JMP 805961EF \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmUnmapVideoDisplay + 60 805BFC72 48 Bytes [46, 00, 72, 00, 69, 00, 65, ...]
PAGE ntoskrnl.exe!MmUnmapVideoDisplay + 91 805BFCA3 30 Bytes [0F, 8D, 09, 4E, 03, 00, FF, ...]
PAGE ntoskrnl.exe!MmUnmapVideoDisplay + B0 805BFCC2 3 Bytes [69, 00, 67]
PAGE ntoskrnl.exe!MmUnmapVideoDisplay + B4 805BFCC6 14 Bytes [46, 00, 6C, 00, 61, 00, 67, ...] {INC ESI; ADD [EAX+EAX+0x61], CH; ADD [EDI+0x0], AH; JAE 0xa; ADD [EAX], AL; INT 3 ; INT 3 }
PAGE ...
PAGE ntoskrnl.exe!IoCreateController + 1E 805BFCFB 1 Byte [E0]
PAGE ntoskrnl.exe!IoCreateController + 1E 805BFCFB 13 Bytes [E0, 50, FF, 35, 6C, 0D, 56, ...]
PAGE ntoskrnl.exe!IoCreateController + 2C 805BFD09 10 Bytes [00, 56, 89, 75, E4, C7, 45, ...]
PAGE ntoskrnl.exe!IoCreateController + 38 805BFD15 7 Bytes CALL 0A4C72A3
PAGE ntoskrnl.exe!IoCreateController + 40 805BFD1D 3 Bytes CALL 8056D524 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!MmAllocateMappingAddress + 13 805BFDB0 99 Bytes [C1, EE, 0C, 0F, 84, 65, A8, ...]
PAGE ntoskrnl.exe!PoQueueShutdownWorkItem + 2 805BFE14 38 Bytes [55, 8B, EC, 56, BE, E0, 94, ...]
PAGE ntoskrnl.exe!PoQueueShutdownWorkItem + 29 805BFE3B 30 Bytes [95, 56, 80, 89, 48, 04, 89, ...]
PAGE ntoskrnl.exe!PoQueueShutdownWorkItem + 48 805BFE5A 3 Bytes [BF, EB, 02]
PAGE ntoskrnl.exe!PoQueueShutdownWorkItem + 4C 805BFE5E 13 Bytes JMP 82787BE6
PAGE ntoskrnl.exe!PoQueueShutdownWorkItem + 5A 805BFE6C 25 Bytes JMP 805A1186 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!IoRegisterDriverReinitialization + 4C 805BFFAE 50 Bytes JMP 805F2067 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoRegisterDriverReinitialization + 7F 805BFFE1 14 Bytes [8B, 45, 0C, 80, 48, 07, 80, ...] {MOV EAX, [EBP+0xc]; OR BYTE [EAX+0x7], 0x80; JMP 0xfffffffffffe9298; MOV ECX, EDI}
PAGE ntoskrnl.exe!IoRegisterDriverReinitialization + 8E 805BFFF0 56 Bytes JMP 805A4041 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoRegisterDriverReinitialization + C7 805C0029 83 Bytes [3B, CA, 0F, 85, 99, F3, 03, ...]
PAGE ntoskrnl.exe!IoRegisterDriverReinitialization + 11B 805C007D 56 Bytes CALL 8057A067 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!IoCreateSynchronizationEvent + 33 805C0B2C 43 Bytes [89, 75, F4, 89, 75, F8, E8, ...]
PAGE ntoskrnl.exe!IoCreateSynchronizationEvent + 5F 805C0B58 3 Bytes CALL 804E1911 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoCreateSynchronizationEvent + 63 805C0B5C 86 Bytes [8B, 45, 0C, 8B, 4D, 08, 89, ...]
PAGE ntoskrnl.exe!IoRegisterBootDriverReinitialization + 42 805C0BB3 15 Bytes [08, 88, FE, FF, B9, 78, 0E, ...]
PAGE ntoskrnl.exe!IoRegisterBootDriverReinitialization + 52 805C0BC3 30 Bytes [F0, FE, FF, FF, 8B, 40, 08, ...]
PAGE ntoskrnl.exe!IoRegisterBootDriverReinitialization + 71 805C0BE2 14 Bytes [8B, 85, D0, FE, FF, FF, 89, ...]
PAGE ntoskrnl.exe!IoRegisterBootDriverReinitialization + 80 805C0BF1 6 Bytes [50, 8D, 85, F8, FE, FF]
PAGE ntoskrnl.exe!IoRegisterBootDriverReinitialization + 87 805C0BF8 36 Bytes [50, 68, 80, 00, 00, 00, 8D, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlIsRangeAvailable + 8C 805C2348 29 Bytes [85, C0, 0F, 9D, C0, C9, C2, ...]
PAGE ntoskrnl.exe!RtlUpperString + 10 805C2366 230 Bytes [8B, 71, 04, 57, 8B, 78, 04, ...]
PAGE ntoskrnl.exe!RtlUpperString + F7 805C244D 18 Bytes [41, BE, 84, 7D, D4, DA, 1A, ...]
PAGE ntoskrnl.exe!RtlUpperString + 10A 805C2460 24 Bytes [56, 98, 6C, 13, C0, A8, 6B, ...]
PAGE ntoskrnl.exe!RtlUpperString + 123 805C2479 561 Bytes [3D, 0F, FA, F5, 0D, 08, 8D, ...]
PAGE ntoskrnl.exe!RtlUpperString + 355 805C26AB 258 Bytes [36, 60, 7A, 04, 41, C3, EF, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwCreateKeyedEvent + C 805C292E 5 Bytes [64, A1, 24, 01, 00]
PAGE ntoskrnl.exe!ZwCreateKeyedEvent + 12 805C2934 5 Bytes [8A, 80, 40, 01, 00]
PAGE ntoskrnl.exe!ZwCreateKeyedEvent + 18 805C293A 15 Bytes [88, 45, E0, 33, DB, 89, 5D, ...]
PAGE ntoskrnl.exe!ZwCreateKeyedEvent + 28 805C294A 33 Bytes [8B, 45, 08, 89, 18, 83, 4D, ...]
PAGE ntoskrnl.exe!ZwCreateKeyedEvent + 4A 805C296C 25 Bytes [35, 54, A4, 56, 80, FF, 75, ...]
PAGE ...
PAGE ntoskrnl.exe!ObCreateObjectType + 35 805C5EE3 12 Bytes [00, F7, 40, 04, 0D, F8, FF, ...]
PAGE ntoskrnl.exe!ObCreateObjectType + 42 805C5EF0 18 Bytes [00, 66, 83, 38, 4C, 0F, 85, ...]
PAGE ntoskrnl.exe!ObCreateObjectType + 55 805C5F03 56 Bytes [00, 80, 78, 02, 00, 75, 08, ...]
PAGE ntoskrnl.exe!ObCreateObjectType + 8E 805C5F3C 16 Bytes [89, 5D, E0, 89, 5D, DC, C7, ...]
PAGE ntoskrnl.exe!ObCreateObjectType + 9F 805C5F4D 9 Bytes CALL 2B067186
PAGE ...
PAGE ntoskrnl.exe!IoReadPartitionTableEx + 1 805C692E 81 Bytes [FF, 55, 8B, EC, 6A, 00, 8D, ...]
PAGE ntoskrnl.exe!IoReadPartitionTableEx + 53 805C6980 86 Bytes [8B, F0, 85, F6, 7C, DB, EB, ...]
PAGE ntoskrnl.exe!IoGetBootDiskInformation + 4A 805C69D7 122 Bytes [83, 7D, 0C, 40, 57, FF, 76, ...]
PAGE ntoskrnl.exe!IoGetBootDiskInformation + C5 805C6A52 20 Bytes CALL 804DA26B \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoGetBootDiskInformation + DA 805C6A67 27 Bytes CALL 80588DF0 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoGetBootDiskInformation + F6 805C6A83 14 Bytes [50, 68, 80, 00, 00, 00, 8D, ...]
PAGE ntoskrnl.exe!IoGetBootDiskInformation + 105 805C6A92 10 Bytes [B4, 01, 00, 8B, F0, 8D, 85, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwLockRegistryKey + 11 805C716E 6 Bytes [84, C0, 75, 60, 6A, 00] {TEST AL, AL; JNZ 0x64; PUSH 0x0}
PAGE ntoskrnl.exe!ZwLockRegistryKey + 18 805C7175 37 Bytes [35, 7C, AC, 69, 80, FF, 35, ...]
PAGE ntoskrnl.exe!ZwLockRegistryKey + 3E 805C719B 85 Bytes [02, 00, FF, 75, 08, E8, B4, ...]
PAGE ntoskrnl.exe!ZwLockRegistryKey + 94 805C71F1 4 Bytes [84, CB, 11, 05]
PAGE ntoskrnl.exe!ZwLockRegistryKey + 99 805C71F6 47 Bytes JMP 806183B7 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!RtlInitCodePageTable + 2 805C72E9 22 Bytes [55, 8B, EC, 8B, 4D, 08, 66, ...]
PAGE ntoskrnl.exe!RtlInitCodePageTable + 19 805C7300 424 Bytes [1A, 66, 03, D8, 8B, 45, 0C, ...]
PAGE ntoskrnl.exe!RtlInitCodePageTable + 1C2 805C74A9 7 Bytes [07, 8B, 4D, 14, 8B, 7D, FC] {POP ES; MOV ECX, [EBP+0x14]; MOV EDI, [EBP-0x4]}
PAGE ntoskrnl.exe!RtlInitCodePageTable + 1CA 805C74B1 13 Bytes JMP 0C0267B8
PAGE ntoskrnl.exe!RtlInitCodePageTable + 1D8 805C74BF 16 Bytes [CB, 01, 4D, FC, 8B, 75, EC, ...] {RETF ; ADD [EBP-0x4], ECX; MOV ESI, [EBP-0x14]; ADD ESI, [EBP+0x14]; INC DWORD [EBP-0x8]; MOV EDI, [EBP-0x8]}
PAGE ...
PAGE ntoskrnl.exe!IoReportDetectedDevice + 6D 805C8101 4 Bytes [7E, 18, 83, C7]
PAGE ntoskrnl.exe!IoReportDetectedDevice + 72 805C8106 3 Bytes [F6, 46, 08]
PAGE ntoskrnl.exe!IoReportDetectedDevice + 76 805C810A 58 Bytes [89, BD, 08, FE, FF, FF, 0F, ...]
PAGE ntoskrnl.exe!IoReportDetectedDevice + B1 805C8145 23 Bytes [00, 6A, 04, 53, 6A, 08, FF, ...]
PAGE ntoskrnl.exe!IoReportDetectedDevice + CA 805C815E 92 Bytes [8B, 85, 58, FE, FF, FF, 80, ...]
PAGE ...
PAGE ntoskrnl.exe!IoRegisterFsRegistrationChange + 22 805C8C64 6 Bytes [80, 0F, 85, 26, 5C, 02]
PAGE ntoskrnl.exe!IoRegisterFsRegistrationChange + 29 805C8C6B 24 Bytes [68, 49, 6F, 46, 73, 6A, 10, ...]
PAGE ntoskrnl.exe!IoRegisterFsRegistrationChange + 42 805C8C84 39 Bytes [8B, 4D, 08, 89, 48, 08, 89, ...]
PAGE ntoskrnl.exe!IoRegisterFsRegistrationChange + 6A 805C8CAC 55 Bytes [8B, 35, 88, 0E, 56, 80, BF, ...]
PAGE ntoskrnl.exe!IoRegisterFsRegistrationChange + A2 805C8CE4 46 Bytes [BF, 78, 0E, 56, 80, 3B, F7, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlCreateUnicodeString + 28 805C996D 66 Bytes [CB, 8B, F8, 8B, C1, C1, E9, ...]
PAGE ntoskrnl.exe!RtlCreateUnicodeString + 6B 805C99B0 16 Bytes [75, E0, 8D, 47, 20, FF, 75, ...]
PAGE ntoskrnl.exe!RtlCreateUnicodeString + 7C 805C99C1 92 Bytes [91, FF, FF, 8B, F0, 3B, F3, ...]
PAGE ntoskrnl.exe!RtlCreateUnicodeString + D9 805C9A1E 76 Bytes [0C, 08, 89, 4D, E4, 57, 50, ...]
PAGE ntoskrnl.exe!RtlCreateUnicodeString + 126 805C9A6B 15 Bytes [FF, 89, 7D, E4, EB, B2, F6, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlInitializeRangeList + 24 805C9D1B 103 Bytes [A0, 69, 80, 00, 56, 57, 6A, ...]
PAGE ntoskrnl.exe!RtlInitializeRangeList + 8C 805C9D83 13 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
PAGE ntoskrnl.exe!RtlInitializeRangeList + 9A 805C9D91 7 Bytes [08, 8B, 47, 08, 8B, 80, B0]
PAGE ntoskrnl.exe!RtlInitializeRangeList + A2 805C9D99 28 Bytes [00, 00, 8B, 70, 14, 8B, 46, ...]
PAGE ntoskrnl.exe!RtlInitializeRangeList + BF 805C9DB6 4 Bytes [FF, 0D, 00, 04]
PAGE ...
PAGE ntoskrnl.exe!RtlQueryTimeZoneInformation + CC 805CA78F 3 Bytes [30, 5C, 80]
PAGE ntoskrnl.exe!RtlQueryTimeZoneInformation + DC 805CA79F 3 Bytes [30, 5C, 80]
PAGE ntoskrnl.exe!RtlQueryTimeZoneInformation + E6 805CA7A9 3 Bytes [30, 5C, 80]
PAGE ntoskrnl.exe!RtlQueryTimeZoneInformation + F0 805CA7B3 3 Bytes [31, 5C, 80]
PAGE ntoskrnl.exe!RtlQueryTimeZoneInformation + F7 805CA7BA 3 Bytes [31, 5C, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToMultiByteN + 10 805CC471 3 Bytes [A5, 69, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToMultiByteN + 39 805CC49A 3 Bytes [A5, 69, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToMultiByteN + 55 805CC4B6 3 Bytes [C4, 5C, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToMultiByteN + 63 805CC4C4 3 Bytes [A4, 69, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToMultiByteN + B0 805CC511 3 Bytes CALL 0BDD2EB8
PAGE ntoskrnl.exe!ZwCancelIoFile + 4 805CC543 3 Bytes [27, 51, 80]
PAGE ntoskrnl.exe!ZwCancelIoFile + 2B 805CC56A 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCancelIoFile + 53 805CC592 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!ZwCancelIoFile + 72 805CC5B1 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!ZwCancelIoFile + A5 805CC5E4 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!ZwWriteFileGather + 4 805CC830 3 Bytes [85, 50, 80] {TEST [EAX-0x80], EDX}
PAGE ntoskrnl.exe!ZwWriteFileGather + 3D 805CC869 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!ZwWriteFileGather + D5 805CC901 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwWriteFileGather + 108 805CC934 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwWriteFileGather + 1C6 805CC9F2 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!FsRtlInitializeTunnelCache + 4F 805CCEFF 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!FsRtlDeleteTunnelCache + 8 805CCF2D 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!IoCreateStreamFileObject + DF 805CD03B 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!IoCreateStreamFileObject + 17F 805CD0DB 3 Bytes [B2, 69, 80]
PAGE ntoskrnl.exe!IoCreateSymbolicLink + 1C 805CD176 3 Bytes [AB, 69, 80]
PAGE ntoskrnl.exe!RtlAppendStringToString + 55 805CD327 3 Bytes CALL 09DD3CCE
PAGE ntoskrnl.exe!RtlPinAtomInAtomTable + 4 805CD368 3 Bytes [90, 50, 80]
PAGE ntoskrnl.exe!RtlSetSaclSecurityDescriptor + AE 805CD7CF 3 Bytes [9E, 56, 80]
PAGE ntoskrnl.exe!RtlSetSaclSecurityDescriptor + B3 805CD7D4 3 Bytes [81, 55, 80]
PAGE ntoskrnl.exe!RtlSetSaclSecurityDescriptor + EF 805CD810 3 Bytes [9E, 56, 80]
PAGE ntoskrnl.exe!RtlSetSaclSecurityDescriptor + 13E 805CD85F 3 Bytes [14, 56, 80]
PAGE ntoskrnl.exe!RtlSetSaclSecurityDescriptor + 1B2 805CD8D3 3 Bytes [AE, 57, 80]
PAGE ntoskrnl.exe!ZwPrivilegedServiceAuditAlarm + 4 805CD926 3 Bytes [90, 50, 80]
PAGE ntoskrnl.exe!ZwPrivilegedServiceAuditAlarm + 31 805CD953 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!ZwPrivilegedServiceAuditAlarm + AD 805CD9CF 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwPrivilegedServiceAuditAlarm + BF 805CD9E1 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwPrivilegedServiceAuditAlarm + FD 805CDA1F 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwSetUuidSeed + 4 805CDAD2 3 Bytes [91, 50, 80]
PAGE ntoskrnl.exe!ZwSetUuidSeed + 67 805CDB35 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwSetUuidSeed + 76 805CDB44 3 Bytes [B1, 69, 80]
PAGE ntoskrnl.exe!ZwSetUuidSeed + 87 805CDB55 3 Bytes [B1, 69, 80]
PAGE ntoskrnl.exe!ZwSetUuidSeed + 125 805CDBF3 3 Bytes [02, 56, 80] {ADD DL, [ESI-0x80]}
PAGE ...
PAGE ntoskrnl.exe!ZwLockProductActivationKeys + 7 805CDCF6 3 Bytes [91, 50, 80]
PAGE ntoskrnl.exe!ZwLockProductActivationKeys + 11 805CDD00 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!ZwLockProductActivationKeys + 35 805CDD24 3 Bytes [82, 55, 80]
PAGE ntoskrnl.exe!ZwLockProductActivationKeys + A2 805CDD91 3 Bytes [91, 50, 80]
PAGE ntoskrnl.exe!ZwLockProductActivationKeys + C8 805CDDB7 3 Bytes [91, 50, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwFilterToken + 4 805CE47F 3 Bytes [91, 50, 80]
PAGE ntoskrnl.exe!ZwFilterToken + 42 805CE4BD 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwFilterToken + 66 805CE4E1 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwFilterToken + D9 805CE554 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!ZwFilterToken + 206 805CE681 3 Bytes [A3, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwLoadKey + 22 805CE80F 3 Bytes [93, 50, 80]
PAGE ntoskrnl.exe!ZwLoadKey + 2C 805CE819 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!ZwLoadKey + 60 805CE84D 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwLoadKey2 + 4 805CE950 3 Bytes [93, 50, 80]
PAGE ntoskrnl.exe!ZwLoadKey2 + 36 805CE982 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwLoadKey2 + 3C 805CE988 3 Bytes CALL 68DD5339
PAGE ntoskrnl.exe!ZwLoadKey2 + 89 805CE9D5 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwLoadKey2 + 157 805CEAA3 3 Bytes [B3, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!IoGetConfigurationInformation + 2 805D1299 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!IoCreateUnprotectedSymbolicLink + 18B 805D142D 3 Bytes [14, 5D, 80]
PAGE ntoskrnl.exe!IoCreateUnprotectedSymbolicLink + 1CC 805D146E 3 Bytes [13, 5D, 80] {ADC EBX, [EBP-0x80]}
PAGE ntoskrnl.exe!IoCreateUnprotectedSymbolicLink + 1D0 805D1472 3 Bytes [2D, 5D, 80]
PAGE ntoskrnl.exe!IoCreateUnprotectedSymbolicLink + 1D4 805D1476 3 Bytes [13, 5D, 80] {ADC EBX, [EBP-0x80]}
PAGE ntoskrnl.exe!IoCreateUnprotectedSymbolicLink + 1D8 805D147A 3 Bytes [13, 5D, 80] {ADC EBX, [EBP-0x80]}
PAGE ...
PAGE ntoskrnl.exe!IoSetDeviceInterfaceState + 17 805D19F4 3 Bytes [11, 56, 80] {ADC [ESI-0x80], EDX}
PAGE ntoskrnl.exe!IoSetDeviceInterfaceState + F5 805D1AD2 3 Bytes [1B, 5D, 80] {SBB EBX, [EBP-0x80]}
PAGE ntoskrnl.exe!IoSetDeviceInterfaceState + 125 805D1B02 3 Bytes [1C, 5D, 80]
PAGE ntoskrnl.exe!IoSetDeviceInterfaceState + 1B8 805D1B95 3 Bytes [1C, 5D, 80]
PAGE ntoskrnl.exe!IoSetDeviceInterfaceState + 1DE 805D1BBB 3 Bytes [1C, 5D, 80]
PAGE ...
PAGE ntoskrnl.exe!IoInitializeTimer + 4B 805D2097 3 Bytes [96, 55, 80]
PAGE ntoskrnl.exe!IoInitializeTimer + 53 805D209F 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!RtlGetVersion + 7 805D20E4 3 Bytes [08, 56, 80] {OR [ESI-0x80], DL}
PAGE ntoskrnl.exe!RtlGetVersion + 13 805D20F0 3 Bytes [07, 56, 80]
PAGE ntoskrnl.exe!RtlGetVersion + 1B 805D20F8 3 Bytes CALL A5DD762D
PAGE ntoskrnl.exe!RtlGetVersion + 3A 805D2117 3 Bytes [07, 56, 80]
PAGE ntoskrnl.exe!RtlGetVersion + 46 805D2123 3 Bytes [07, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!IoGetDeviceInterfaceAlias + 51 805D28AE 3 Bytes [11, 56, 80] {ADC [ESI-0x80], EDX}
PAGE ntoskrnl.exe!IoGetDeviceInterfaceAlias + 7A 805D28D7 3 Bytes [29, 5D, 80] {SUB [EBP-0x80], EBX}
PAGE ntoskrnl.exe!IoGetDeviceInterfaceAlias + E8 805D2945 3 Bytes [2A, 5D, 80] {SUB BL, [EBP-0x80]}
PAGE ntoskrnl.exe!IoGetDeviceInterfaceAlias + 15A 805D29B7 3 Bytes [11, 56, 80] {ADC [ESI-0x80], EDX}
PAGE ntoskrnl.exe!IoGetDeviceInterfaceAlias + 1D0 805D2A2D 3 Bytes [A1, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!FsRtlRegisterUncProvider + 17 805D391F 3 Bytes [06, 56, 80]
PAGE ntoskrnl.exe!FsRtlRegisterUncProvider + 22 805D392A 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!FsRtlRegisterUncProvider + 34 805D393C 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!FsRtlRegisterUncProvider + 3E 805D3946 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!FsRtlRegisterUncProvider + 49 805D3951 3 Bytes [A0, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!SeRegisterLogonSessionTerminatedRoutine + 3C 805D3BBF 3 Bytes [CD, 55, 80]
PAGE ntoskrnl.exe!SeRegisterLogonSessionTerminatedRoutine + 48 805D3BCB 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!SeRegisterLogonSessionTerminatedRoutine + 55 805D3BD8 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!SeRegisterLogonSessionTerminatedRoutine + AF 805D3C32 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!SeRegisterLogonSessionTerminatedRoutine + EA 805D3C6D 3 Bytes [90, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!NtDeleteFile + D 805D54C1 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!NtDeleteFile + C9 805D557D 3 Bytes [F2, 55, 80]
PAGE ntoskrnl.exe!NtDeleteFile + DA 805D558E 3 Bytes [F2, 55, 80]
PAGE ntoskrnl.exe!NtDeleteFile + 100 805D55B4 3 Bytes [B2, 69, 80]
PAGE ntoskrnl.exe!NtDeleteFile + 109 805D55BD 3 Bytes [B2, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwCreateJobObject + 4 805D5CE2 3 Bytes [2E, 51, 80]
PAGE ntoskrnl.exe!ZwCreateJobObject + 2C 805D5D0A 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateJobObject + 56 805D5D34 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ZwCreateJobObject + F4 805D5DD2 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ZwCreateJobObject + FC 805D5DDA 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwSetInformationJobObject + 7 805D5E39 3 Bytes [2E, 51, 80]
PAGE ntoskrnl.exe!ZwSetInformationJobObject + 71 805D5EA3 3 Bytes [BF, 58, 80]
PAGE ntoskrnl.exe!ZwSetInformationJobObject + 7B 805D5EAD 3 Bytes [BF, 58, 80]
PAGE ntoskrnl.exe!ZwSetInformationJobObject + BA 805D5EEC 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwSetInformationJobObject + F0 805D5F22 3 Bytes [96, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwSetDefaultUILanguage + 18 805D630A 3 Bytes [63, 5D, 80] {ARPL [EBP-0x80], BX}
PAGE ntoskrnl.exe!ZwSetDefaultLocale + D 805D6358 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!ZwSetDefaultLocale + 4A 805D6395 3 Bytes [64, 5D, 80]
PAGE ntoskrnl.exe!ZwSetDefaultLocale + 5B 805D63A6 3 Bytes [64, 5D, 80]
PAGE ntoskrnl.exe!ZwSetDefaultLocale + 1E5 805D6530 3 Bytes [A2, 69, 80]
PAGE ntoskrnl.exe!ZwSetDefaultLocale + 571 805D68BC 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!MmPageEntireDriver + 18 805D68FC 3 Bytes [79, 56, 80]
PAGE ntoskrnl.exe!MmPageEntireDriver + 25 805D6909 3 Bytes [78, 56, 80]
PAGE ntoskrnl.exe!MmPageEntireDriver + 30 805D6914 3 Bytes [78, 56, 80]
PAGE ntoskrnl.exe!MmResetDriverPaging + 8 805D69BF 3 Bytes [79, 56, 80]
PAGE ntoskrnl.exe!MmResetDriverPaging + DF 805D6A96 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!MmResetDriverPaging + 3A1 805D6D58 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!MmResetDriverPaging + 3F0 805D6DA7 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!MmResetDriverPaging + 3F8 805D6DAF 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwCreateMailslotFile + 4 805D6E8B 3 Bytes [2C, 51, 80]
PAGE ntoskrnl.exe!ZwCreateMailslotFile + 3A 805D6EC1 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateMailslotFile + 130 805D6FB7 3 Bytes [86, 51, 80] {XCHG [ECX-0x80], DL}
PAGE ntoskrnl.exe!ZwCreateMailslotFile + 14A 805D6FD1 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!FsRtlOplockFsctrl + 9D 805D7129 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!FsRtlOplockFsctrl + 175 805D7201 3 Bytes [9F, 56, 80]
PAGE ntoskrnl.exe!FsRtlOplockFsctrl + 1CF 805D725B 3 Bytes [81, 55, 80]
PAGE ntoskrnl.exe!RtlValidSecurityDescriptor + 4 805D731F 3 Bytes CALL 68DDC450
PAGE ntoskrnl.exe!RtlValidSecurityDescriptor + F5 805D7410 3 Bytes [9E, 56, 80]
PAGE ntoskrnl.exe!RtlValidSecurityDescriptor + 123 805D743E 3 Bytes [9F, 56, 80]
PAGE ntoskrnl.exe!RtlDecompressFragment + 3B 805D7490 3 Bytes [74, 5D, 80]
PAGE ntoskrnl.exe!RtlDecompressFragment + 54 805D74A9 3 Bytes [80, 5D, 80]
PAGE ntoskrnl.exe!RtlDecompressFragment + 58 805D74AD 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGE ntoskrnl.exe!RtlDecompressFragment + 5C 805D74B1 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGE ntoskrnl.exe!RtlDecompressFragment + 60 805D74B5 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGE ...
PAGE ntoskrnl.exe!RtlFindMessage + 12B 805D8564 3 Bytes [85, 5D, 80] {TEST [EBP-0x80], EBX}
PAGE ntoskrnl.exe!RtlFindMessage + 12F 805D8568 3 Bytes [85, 5D, 80] {TEST [EBP-0x80], EBX}
PAGE ntoskrnl.exe!RtlFindMessage + 133 805D856C 3 Bytes [85, 5D, 80] {TEST [EBP-0x80], EBX}
PAGE ntoskrnl.exe!RtlFindMessage + 137 805D8570 3 Bytes [83, 5D, 80]
PAGE ntoskrnl.exe!RtlFindMessage + 13B 805D8574 3 Bytes [83, 5D, 80]
PAGE ...
PAGE ntoskrnl.exe!NtAllocateUuids + 4 805D878D 3 Bytes CALL 68DDD80B
PAGE ntoskrnl.exe!NtAllocateUuids + 32 805D87BB 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtAllocateUuids + 59 805D87E2 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtAllocateUuids + 79 805D8802 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtAllocateUuids + 98 805D8821 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwPrivilegeObjectAuditAlarm + 4 805D88D3 3 Bytes [99, 51, 80]
PAGE ntoskrnl.exe!ZwPrivilegeObjectAuditAlarm + 2E 805D88FD 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!ZwPrivilegeObjectAuditAlarm + 9D 805D896C 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwPrivilegeObjectAuditAlarm + AF 805D897E 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwPrivilegeObjectAuditAlarm + ED 805D89BC 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwFlushKey + 4 805D93C7 3 Bytes [94, 51, 80]
PAGE ntoskrnl.exe!ZwFlushKey + 13 805D93D6 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwFlushKey + 36 805D93F9 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwFlushKey + 4F 805D9412 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwFlushKey + 8A 805D944D 3 Bytes [B3, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlLengthSid + 113 805D9855 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!RtlLengthSid + 133 805D9875 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!NtQuerySecurityObject + 4 805D9EBA 3 Bytes [52, 51, 80]
PAGE ntoskrnl.exe!NtQuerySecurityObject + 1B5 805DA06B 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtQuerySecurityObject + 1F8 805DA0AE 3 Bytes [7A, 55, 80]
PAGE ntoskrnl.exe!NtQuerySecurityObject + 221 805DA0D7 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!NtQuerySecurityObject + 261 805DA117 3 Bytes [9F, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwCreateIoCompletion + 4 805DA671 3 Bytes [4D, 51, 80]
PAGE ntoskrnl.exe!ZwCreateIoCompletion + 2C 805DA699 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateIoCompletion + 3D 805DA6AA 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!ZwCreateIoCompletion + 1E7 805DA854 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!ZwCreateIoCompletion + 3ED 805DAA5A 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!MmLockPagableSectionByHandle + A5 805DABEF 3 Bytes [76, 56, 80]
PAGE ntoskrnl.exe!MmLockPagableSectionByHandle + C7 805DAC11 3 Bytes [AB, 69, 80]
PAGE ntoskrnl.exe!ZwAccessCheckByType + B1 805DAD03 3 Bytes [AE, 57, 80]
PAGE ntoskrnl.exe!ZwAccessCheckByType + 140 805DAD92 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ZwAccessCheckByType + 2AD 805DAEFF 3 Bytes [9C, 51, 80]
PAGE ntoskrnl.exe!ZwAccessCheckByType + 2DE 805DAF30 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwAccessCheckByType + 305 805DAF57 3 Bytes [97, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!NtDeleteAtom + 3D 805DCCD3 3 Bytes [01, 56, 80] {ADD [ESI-0x80], EDX}
PAGE ntoskrnl.exe!NtDeleteAtom + 1D7 805DCE6D 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!NtDeleteAtom + 226 805DCEBC 3 Bytes [45, 4F, 80]
PAGE ntoskrnl.exe!NtDeleteAtom + 385 805DD01B 3 Bytes [01, 56, 80] {ADD [ESI-0x80], EDX}
PAGE ntoskrnl.exe!NtDeleteAtom + 3AE 805DD044 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!NtLockFile + 4 805DD067 3 Bytes [5F, 51, 80]
PAGE ntoskrnl.exe!NtLockFile + 31 805DD094 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!NtLockFile + 5F 805DD0C2 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtLockFile + 82 805DD0E5 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtUnlockFile + 4 805DD1C7 3 Bytes [62, 51, 80] {BOUND EDX, [ECX-0x80]}
PAGE ntoskrnl.exe!NtUnlockFile + 2C 805DD1EF 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!NtUnlockFile + 59 805DD21C 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtUnlockFile + 7F 805DD242 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtNotifyChangeDirectoryFile + 4 805DD2FE 3 Bytes [47, 4F, 80]
PAGE ntoskrnl.exe!NtNotifyChangeDirectoryFile + 33 805DD32D 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtNotifyChangeDirectoryFile + 7F 805DD379 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!NtNotifyChangeDirectoryFile + B0 805DD3AA 3 Bytes [A9, 56, 80]
PAGE ntoskrnl.exe!FsRtlNotifyFilterChangeDirectory + 4 805DD48D 3 Bytes [46, 4F, 80]
PAGE ntoskrnl.exe!FsRtlNotifyFilterChangeDirectory + 1BF 805DD648 3 Bytes [47, 4F, 80]
PAGE ntoskrnl.exe!FsRtlNotifyFilterChangeDirectory + 31F 805DD7A8 3 Bytes [47, 4F, 80]
PAGE ntoskrnl.exe!ObCheckCreateObjectAccess + 16C 805DDC71 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlGenerate8dot3Name + E 805DE018 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlGenerate8dot3Name + 194 805DE19E 3 Bytes [E2, 5D, 80]
PAGE ntoskrnl.exe!RtlGenerate8dot3Name + 2F4 805DE2FE 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!RtlGenerate8dot3Name + 4AD 805DE4B7 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!RtlGenerate8dot3Name + 54F 805DE559 3 Bytes [7B, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!FsRtlAddToTunnelCache + F 805DE9DC 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!FsRtlAddToTunnelCache + 73 805DEA40 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ObQueryObjectAuditingByHandle + F7 805DEB75 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!RtlHashUnicodeString + 39 805DEBC8 3 Bytes CALL D3DE556F
PAGE ntoskrnl.exe!RtlUnicodeToOemN + D 805DECAA 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlUnicodeToOemN + 36 805DECD3 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlUnicodeToOemN + 57 805DECF4 3 Bytes [ED, 5D, 80]
PAGE ntoskrnl.exe!RtlUnicodeToOemN + 10A 805DEDA7 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlUnicodeToOemN + 146 805DEDE3 3 Bytes [ED, 5D, 80]
PAGE ...
PAGE ntoskrnl.exe!FsRtlIsFatDbcsLegal + 6D 805DEE94 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!RtlUnicodeStringToCountedOemString + 8 805DEF20 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!SeValidSecurityDescriptor + 14F 805DF0FC 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!SeValidSecurityDescriptor + 193 805DF140 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!FsRtlFindInTunnelCache + 4 805DF16B 3 Bytes [BD, 4F, 80]
PAGE ntoskrnl.exe!FsRtlFindInTunnelCache + 13 805DF17A 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!FsRtlFindInTunnelCache + 2E 805DF195 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlFindInTunnelCache + 8F 805DF1F6 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlFindInTunnelCache + B1 805DF218 3 Bytes [A7, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!NtAllocateLocallyUniqueId + 4 805DF8F4 3 Bytes CALL 68DE483E
PAGE ntoskrnl.exe!NtAllocateLocallyUniqueId + 2E 805DF91E 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!RtlSetDaclSecurityDescriptor + CC 805DFBAB 3 Bytes [AB, 69, 80]
PAGE ntoskrnl.exe!RtlSetDaclSecurityDescriptor + E1 805DFBC0 3 Bytes [AB, 69, 80]
PAGE ntoskrnl.exe!RtlSetDaclSecurityDescriptor + ED 805DFBCC 3 Bytes [AB, 69, 80]
PAGE ntoskrnl.exe!RtlSetDaclSecurityDescriptor + 14D 805DFC2C 3 Bytes [AB, 69, 80]
PAGE ntoskrnl.exe!RtlSetDaclSecurityDescriptor + 15B 805DFC3A 3 Bytes [AB, 69, 80]
PAGE ntoskrnl.exe!ZwImpersonateClientOfPort + 4 805DFD72 3 Bytes [3F, 4F, 80]
PAGE ntoskrnl.exe!ZwImpersonateClientOfPort + E 805DFD7C 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!ZwImpersonateClientOfPort + 41 805DFDAF 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwImpersonateClientOfPort + 6D 805DFDDB 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!ZwImpersonateClientOfPort + AB 805DFE19 3 Bytes [2E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwCompareTokens + 4 805DFFFF 3 Bytes [3F, 4F, 80]
PAGE ntoskrnl.exe!ZwCompareTokens + 33 805E002E 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCompareTokens + 60 805E005B 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!ZwCompareTokens + 89 805E0084 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!ZwCompareTokens + 1CA 805E01C5 3 Bytes [3F, 4F, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwReadRequestData + 39 805E054F 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwWriteRequestData + 2B 805E05C5 3 Bytes [4C, 51, 80]
PAGE ntoskrnl.exe!ZwWriteRequestData + 8A 805E0624 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwWriteRequestData + 153 805E06ED 3 Bytes [AD, 69, 80]
PAGE ntoskrnl.exe!ZwWriteRequestData + 15F 805E06F9 3 Bytes [AD, 69, 80]
PAGE ntoskrnl.exe!ZwWriteRequestData + 17F 805E0719 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtAdjustPrivilegesToken + 4 805E0793 3 Bytes [4C, 51, 80]
PAGE ntoskrnl.exe!NtAdjustPrivilegesToken + 5C 805E07EB 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtAdjustPrivilegesToken + 95 805E0824 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtAdjustPrivilegesToken + 100 805E088F 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!NtAdjustPrivilegesToken + 2B0 805E0A3F 3 Bytes [4C, 51, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwCloseObjectAuditAlarm + 4 805E0B71 3 Bytes [4D, 51, 80]
PAGE ntoskrnl.exe!ZwCloseObjectAuditAlarm + 41 805E0BAE 3 Bytes [4D, 51, 80]
PAGE ntoskrnl.exe!ZwCloseObjectAuditAlarm + E5 805E0C52 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCloseObjectAuditAlarm + F9 805E0C66 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCloseObjectAuditAlarm + 114 805E0C81 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlOemToUnicodeN + F 805E1017 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlOemToUnicodeN + 34 805E103C 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlOemToUnicodeN + 4A 805E1052 3 Bytes [12, 5E, 80] {ADC BL, [ESI-0x80]}
PAGE ntoskrnl.exe!RtlOemStringToUnicodeString + B 805E1125 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlOemStringToUnicodeString + 8C 805E11A6 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlOemStringToUnicodeString + AC 805E11C6 3 Bytes [A5, 69, 80]
PAGE ntoskrnl.exe!RtlOemStringToUnicodeString + D5 805E11EF 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlOemStringToUnicodeString + 10B 805E1225 3 Bytes [10, 5E, 80] {ADC [ESI-0x80], BL}
PAGE ...
PAGE ntoskrnl.exe!FsRtlNotifyCleanup + 4 805E1450 3 Bytes [46, 4F, 80]
PAGE ntoskrnl.exe!RtlUnicodeStringToOemString + B 805E1568 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlUnicodeStringToOemString + 222 805E177F 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!RtlUnicodeStringToOemString + 2CC 805E1829 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtOpenThread + 7 805E1948 3 Bytes [46, 4F, 80]
PAGE ntoskrnl.exe!NtOpenThread + 36 805E1977 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtOpenThread + 56 805E1997 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtOpenThread + A9 805E19EA 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!NtOpenThread + D4 805E1A15 3 Bytes [AC, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!IoGetDeviceObjectPointer + 4F 805E1F6F 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!ZwNotifyChangeMultipleKeys + 4 805E1FAD 3 Bytes [46, 4F, 80]
PAGE ntoskrnl.exe!ZwNotifyChangeMultipleKeys + 20 805E1FC9 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwNotifyChangeMultipleKeys + B4 805E205D 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwNotifyChangeMultipleKeys + 116 805E20BF 3 Bytes [A9, 56, 80]
PAGE ntoskrnl.exe!ZwNotifyChangeMultipleKeys + 160 805E2109 3 Bytes [CF, 5D, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwNotifyChangeKey + 19D 805E2334 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!ZwNotifyChangeKey + 1C8 805E235F 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!ZwNotifyChangeKey + 3A2 805E2539 3 Bytes [25, 5E, 80]
PAGE ntoskrnl.exe!ZwNotifyChangeKey + 505 805E269C 3 Bytes [7F, 56, 80]
PAGE ntoskrnl.exe!NtFindAtom + 7 805E2701 3 Bytes [54, 51, 80]
PAGE ntoskrnl.exe!NtFindAtom + 11 805E270B 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!NtFindAtom + 75 805E276F 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtFindAtom + BF 805E27B9 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtFindAtom + 22A 805E2924 3 Bytes [80, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwQueueApcThread + 24 805E3BB9 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwQueueApcThread + 6D 805E3C02 3 Bytes [0A, 57, 80] {OR DL, [EDI-0x80]}
PAGE ntoskrnl.exe!ZwQueryTimer + 4 805E3C3E 3 Bytes [4E, 51, 80]
PAGE ntoskrnl.exe!ZwQueryTimer + 2F 805E3C69 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryTimer + 56 805E3C90 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryTimer + 89 805E3CC3 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwQueryTimer + 138 805E3D72 3 Bytes [AE, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToOemN + 10 805E4514 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToOemN + 3B 805E453F 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToOemN + 57 805E455B 3 Bytes [4A, 5E, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToOemN + 65 805E4569 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToOemN + 94 805E4598 3 Bytes [A7, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToOemString + 8 805E4B39 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToOemString + 40 805E4B71 3 Bytes [AE, 57, 80]
PAGE ntoskrnl.exe!RtlFreeOemString + 13 805E4BEE 3 Bytes [EC, 56, 80]
PAGE ntoskrnl.exe!RtlFreeOemString + 25 805E4C00 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlFreeOemString + 56 805E4C31 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlFreeOemString + 8A 805E4C65 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlFreeOemString + BB 805E4C96 3 Bytes [A7, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!FsRtlDeleteKeyFromTunnelCache + E 805E50D9 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!FsRtlDeleteKeyFromTunnelCache + 2D 805E50F8 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlDeleteKeyFromTunnelCache + 96 805E5161 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlDeleteKeyFromTunnelCache + 13E 805E5209 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!FsRtlDeleteKeyFromTunnelCache + 169 805E5234 3 Bytes [80, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!SeCreateClientSecurityFromSubjectContext + 10C 805E5771 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!SeCreateClientSecurityFromSubjectContext + 175 805E57DA 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!SeCreateClientSecurityFromSubjectContext + 198 805E57FD 3 Bytes [58, 5E, 80]
PAGE ntoskrnl.exe!SeCreateClientSecurityFromSubjectContext + 19E 805E5803 3 Bytes [58, 5E, 80]
PAGE ntoskrnl.exe!SeCreateClientSecurityFromSubjectContext + 1AC 805E5811 3 Bytes [58, 5E, 80]
PAGE ...
PAGE ntoskrnl.exe!CcZeroData + 7 805E5AF7 3 Bytes [5B, 51, 80]
PAGE ntoskrnl.exe!CcZeroData + 217 805E5D07 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!RtlPrefixUnicodeString + 33 805E5E23 3 Bytes CALL E6DEC7CA
PAGE ntoskrnl.exe!RtlPrefixUnicodeString + 3F6 805E61E6 3 Bytes [BC, 55, 80]
PAGE ntoskrnl.exe!RtlPrefixUnicodeString + 499 805E6289 3 Bytes [34, 56, 80]
PAGE ntoskrnl.exe!RtlPrefixUnicodeString + 4B3 805E62A3 3 Bytes [7C, 55, 80]
PAGE ntoskrnl.exe!RtlPrefixUnicodeString + 4F4 805E62E4 3 Bytes [34, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ObMakeTemporaryObject + 86 805E6AF0 3 Bytes [34, 56, 80]
PAGE ntoskrnl.exe!ObMakeTemporaryObject + A3 805E6B0D 3 Bytes [34, 56, 80]
PAGE ntoskrnl.exe!ObMakeTemporaryObject + B2 805E6B1C 3 Bytes [34, 56, 80]
PAGE ntoskrnl.exe!ObMakeTemporaryObject + 14A 805E6BB4 3 Bytes [7F, 56, 80]
PAGE ntoskrnl.exe!ObMakeTemporaryObject + 14F 805E6BB9 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ...
PAGE ntoskrnl.exe!ZwCreateSymbolicLinkObject + 4 805E6E62 3 Bytes [9A, 51, 80]
PAGE ntoskrnl.exe!ZwCreateSymbolicLinkObject + 72 805E6ED0 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!ZwCreateSymbolicLinkObject + 137 805E6F95 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateSymbolicLinkObject + 19F 805E6FFD 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!ZwCreateSymbolicLinkObject + 1C4 805E7022 3 Bytes [8C, 56, 80] {MOV WORD [ESI-0x80], SS}
PAGE ntoskrnl.exe!NtMakePermanentObject + 1D 805E7071 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!NtMakePermanentObject + 23 805E7077 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwOpenSemaphore + 4 805E71D6 3 Bytes [9B, 51, 80]
PAGE ntoskrnl.exe!ZwOpenSemaphore + 28 805E71FA 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwOpenSemaphore + 4C 805E721E 3 Bytes [A5, 56, 80]
PAGE ntoskrnl.exe!ZwAreMappedFilesTheSame + 1C 805E727C 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ZwAreMappedFilesTheSame + AB 805E730B 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!MmLockPagableDataSection + 40 805E735B 3 Bytes [34, 56, 80]
PAGE ntoskrnl.exe!MmLockPagableDataSection + 9F 805E73BA 3 Bytes [34, 56, 80]
PAGE ntoskrnl.exe!MmLockPagableDataSection + F9 805E7414 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!MmLockPagableDataSection + 212 805E752D 3 Bytes [9F, 56, 80]
PAGE ntoskrnl.exe!MmLockPagableDataSection + 2EA 805E7605 3 Bytes [97, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ObFindHandleForObject + 3A 805E7B4B 3 Bytes [7A, 5E, 80]
PAGE ntoskrnl.exe!ObFindHandleForObject + C6 805E7BD7 3 Bytes [9F, 56, 80]
PAGE ntoskrnl.exe!ObFindHandleForObject + 1C0 805E7CD1 3 Bytes [81, 55, 80]
PAGE ntoskrnl.exe!ObFindHandleForObject + 21C 805E7D2D 3 Bytes [9F, 56, 80]
PAGE ntoskrnl.exe!ObFindHandleForObject + 395 805E7EA6 3 Bytes [AE, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwAssignProcessToJobObject + 2C 805E83D2 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ZwAssignProcessToJobObject + 5D 805E8403 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwAssignProcessToJobObject + 196 805E853C 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ZwAssignProcessToJobObject + 1B7 805E855D 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ZwAssignProcessToJobObject + 1C7 805E856D 3 Bytes [A2, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwFlushVirtualMemory + 4 805E8AC2 3 Bytes [7C, 51, 80]
PAGE ntoskrnl.exe!ZwFlushVirtualMemory + 2D 805E8AEB 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwFlushVirtualMemory + 41 805E8AFF 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwFlushVirtualMemory + 55 805E8B13 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwFlushVirtualMemory + 7A 805E8B38 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!MmUnmapViewInSessionSpace + 1D 805E8F83 3 Bytes [79, 56, 80]
PAGE ntoskrnl.exe!MmUnmapViewInSessionSpace + AB 805E9011 3 Bytes [33, 56, 80] {XOR EDX, [ESI-0x80]}
PAGE ntoskrnl.exe!MmUnmapViewInSessionSpace + B9 805E901F 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!MmUnmapViewInSessionSpace + C1 805E9027 3 Bytes [79, 56, 80]
PAGE ntoskrnl.exe!MmUnmapViewInSessionSpace + DA 805E9040 3 Bytes [79, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!MmMapViewInSessionSpace + 20 805E923D 3 Bytes [79, 56, 80]
PAGE ntoskrnl.exe!ZwOpenObjectAuditAlarm + 4 805E925E 3 Bytes [56, 51, 80]
PAGE ntoskrnl.exe!ZwOpenObjectAuditAlarm + 46 805E92A0 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!ZwOpenObjectAuditAlarm + DE 805E9338 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwOpenObjectAuditAlarm + 122 805E937C 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwOpenObjectAuditAlarm + 172 805E93CC 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtRequestPort + 4 805E94DC 3 Bytes [4E, 51, 80]
PAGE ntoskrnl.exe!NtRequestPort + 37 805E950F 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtRequestPort + 8D 805E9565 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!NtRequestPort + C8 805E95A0 3 Bytes [BB, 55, 80]
PAGE ntoskrnl.exe!NtRequestPort + 139 805E9611 3 Bytes [2E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlUnicodeToMultiByteSize + 10 805E990F 3 Bytes [A5, 69, 80]
PAGE ntoskrnl.exe!RtlUnicodeToMultiByteSize + E6 805E99E5 3 Bytes [7C, 56, 80]
PAGE ntoskrnl.exe!RtlUnicodeToMultiByteSize + 14E 805E9A4D 3 Bytes [7C, 56, 80]
PAGE ntoskrnl.exe!RtlMultiByteToUnicodeSize + D 805E9AE8 3 Bytes [A5, 69, 80]
PAGE ntoskrnl.exe!ExUuidCreate + 1C 805E9C35 3 Bytes [B1, 69, 80]
PAGE ntoskrnl.exe!ExUuidCreate + 22 805E9C3B 3 Bytes [B1, 69, 80]
PAGE ntoskrnl.exe!ExUuidCreate + 28 805E9C41 3 Bytes [B1, 69, 80]
PAGE ntoskrnl.exe!ExUuidCreate + 30 805E9C49 3 Bytes [B1, 69, 80]
PAGE ntoskrnl.exe!ExUuidCreate + 3B 805E9C54 3 Bytes [B1, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwSetThreadExecutionState + 4 805EB0C3 3 Bytes [C5, 51, 80] {LDS EDX, DWORD [ECX-0x80]}
PAGE ntoskrnl.exe!ZwSetThreadExecutionState + 42 805EB101 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!IoCheckFunctionAccess + 15 805EB250 3 Bytes [B9, 5E, 80]
PAGE ntoskrnl.exe!LsaFreeReturnBuffer + D6 805EB360 3 Bytes [8E, 56, 80] {MOV SS, [ESI-0x80]}
PAGE ntoskrnl.exe!LsaFreeReturnBuffer + E1 805EB36B 3 Bytes [7E, 55, 80]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 4 805EB38A 3 Bytes [C5, 51, 80] {LDS EDX, DWORD [ECX-0x80]}
PAGE ntoskrnl.exe!ZwSetTimerResolution + 28 805EB3AE 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 52 805EB3D8 3 Bytes [24, 56, 80]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 7E 805EB404 3 Bytes [B0, 69, 80]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 8D 805EB413 3 Bytes [A0, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!CcMdlRead + 4 8061BB5D 3 Bytes [D4, 52, 80]
PAGE ntoskrnl.exe!CcMdlRead + A3 8061BBFC 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!CcMdlRead + A9 8061BC02 3 Bytes [30, 55, 80] {XOR [EBP-0x80], DL}
PAGE ntoskrnl.exe!CcMdlRead + AD 8061BC06 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!CcMdlRead + 121 8061BC7A 3 Bytes [F5, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!CmUnRegisterCallback + F 8061BEB6 3 Bytes [03, 56, 80] {ADD EDX, [ESI-0x80]}
PAGE ntoskrnl.exe!CmUnRegisterCallback + 4B 8061BEF2 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!CmUnRegisterCallback + 5A 8061BF01 3 Bytes [03, 56, 80] {ADD EDX, [ESI-0x80]}
PAGE ntoskrnl.exe!CmRegisterCallback + B0 8061C013 3 Bytes [03, 56, 80] {ADD EDX, [ESI-0x80]}
PAGE ntoskrnl.exe!CmRegisterCallback + FD 8061C060 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!CmRegisterCallback + 125 8061C088 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!CmRegisterCallback + 157 8061C0BA 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!CmRegisterCallback + 182 8061C0E5 3 Bytes [03, 56, 80] {ADD EDX, [ESI-0x80]}
PAGE ...
PAGE ntoskrnl.exe!FsRtlMdlReadDev + 4 8061C19D 3 Bytes [D4, 52, 80]
PAGE ntoskrnl.exe!FsRtlMdlReadDev + 4E 8061C1E7 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!FsRtlMdlReadDev + 10A 8061C2A3 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlMdlReadDev + 1A8 8061C341 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlMdlReadDev + 1D5 8061C36E 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 4 8061C41B 3 Bytes [D4, 52, 80]
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 3BA 8061C7D1 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 3E7 8061C7FE 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlCopyRead + 4 8061C911 3 Bytes [D4, 52, 80]
PAGE ntoskrnl.exe!FsRtlCopyRead + 111 8061CA1E 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlCopyRead + 161 8061CA6E 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlCopyRead + 167 8061CA74 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!FsRtlCopyRead + 1CB 8061CAD8 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!FsRtlCopyWrite + 4 8061CC17 3 Bytes [D4, 52, 80]
PAGE ntoskrnl.exe!FsRtlCopyWrite + 6D7 8061D2EA 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlCopyWrite + 705 8061D318 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlAllocateResource + 2 8061D3E7 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!FsRtlAllocateResource + E 8061D3F3 3 Bytes [06, 56, 80]
PAGE ntoskrnl.exe!FsRtlAllocateResource + 14 8061D3F9 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + 6E 8061D495 3 Bytes [D5, 52, 80]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + 144 8061D56B 3 Bytes [D5, 52, 80]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + 1A6 8061D5CD 3 Bytes [D4, 61, 80]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + 204 8061D62B 3 Bytes [D6, 61, 80]
PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 26 8061D6AD 3 Bytes [06, 56, 80]
PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 32 8061D6B9 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 39 8061D6C0 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 4A 8061D6D1 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 4F 8061D6D6 3 Bytes [A0, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!FsRtlDissectDbcs + 4F 8061D76B 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!FsRtlDissectDbcs + 57 8061D773 3 Bytes [C4, 56, 80] {LES EDX, DWORD [ESI-0x80]}
PAGE ntoskrnl.exe!FsRtlDoesDbcsContainWildCards + 22 8061D7E7 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!FsRtlDoesDbcsContainWildCards + 2B 8061D7F0 3 Bytes [C4, 56, 80] {LES EDX, DWORD [ESI-0x80]}
PAGE ntoskrnl.exe!FsRtlDoesDbcsContainWildCards + 42 8061D807 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + D 8061D844 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 95 8061D8CC 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + B9 8061D8F0 3 Bytes [C4, 56, 80] {LES EDX, DWORD [ESI-0x80]}
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 12E 8061D965 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 137 8061D96E 3 Bytes [C4, 56, 80] {LES EDX, DWORD [ESI-0x80]}
PAGE ...
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + E2 8061DD7A 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + EA 8061DD82 3 Bytes [C4, 56, 80] {LES EDX, DWORD [ESI-0x80]}
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 108 8061DDA0 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 163 8061E032 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 178 8061E047 3 Bytes [E1, 61, 80]
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 210 8061E0DF 3 Bytes [E1, 61, 80]
PAGE ntoskrnl.exe!IoWritePartitionTable + 852 8061ECC1 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!IoWritePartitionTable + AE1 8061EF50 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + DF 8061FAED 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 124 8061FB32 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 193 8061FBA1 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 215 8061FC23 3 Bytes [C3, 57, 80]
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 227 8061FC35 3 Bytes [FA, 61, 80]
PAGE ...
PAGE ntoskrnl.exe!IoCheckDesiredAccess + 7 8061FC6A 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + B5 8061FD59 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + D0 8061FD74 3 Bytes [FF, 61, 80] {JMP [ECX-0x80]}
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + 117 8061FDBB 3 Bytes [FF, 61, 80] {JMP [ECX-0x80]}
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + 1C2 8061FE66 3 Bytes [FF, 61, 80] {JMP [ECX-0x80]}
PAGE ntoskrnl.exe!IoEnqueueIrp + C 8061FFA4 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!IoEnqueueIrp + 2F 8061FFC7 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + D 8061FFE8 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + A 806200EA 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 12C 8062020C 3 Bytes [04, 62, 80]
PAGE ntoskrnl.exe!IoRegisterLastChanceShutdownNotification + 30 80620643 3 Bytes [0E, 56, 80]
PAGE ntoskrnl.exe!IoSetInformation + 98 80620707 3 Bytes [B7, 55, 80]
PAGE ntoskrnl.exe!IoSetInformation + 107 80620776 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!IoSetInformation + 12B 8062079A 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!IoSetInformation + 18C 806207FB 3 Bytes [B7, 55, 80]
PAGE ntoskrnl.exe!IoSetInformation + 1A8 80620817 3 Bytes [B7, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!IoUnregisterFsRegistrationChange + B 8062092F 3 Bytes [0E, 56, 80]
PAGE ntoskrnl.exe!IoUnregisterFsRegistrationChange + 16 8062093A 3 Bytes [0E, 56, 80]
PAGE ntoskrnl.exe!IoUnregisterFsRegistrationChange + 1E 80620942 3 Bytes [0E, 56, 80]
PAGE ntoskrnl.exe!IoVerifyVolume + 61 806209F5 3 Bytes [B7, 55, 80]
PAGE ntoskrnl.exe!IoVerifyVolume + BD 80620A51 3 Bytes [B7, 55, 80]
PAGE ntoskrnl.exe!IoCancelFileOpen + 91 80620B6A 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!IoCancelFileOpen + B1 80620B8A 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!IoCancelFileOpen + D9 80620BB2 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!IoCancelFileOpen + F0 80620BC9 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + F 80620C70 3 Bytes [0E, 56, 80]
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 1F 80620C80 3 Bytes [0E, 56, 80]
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 27 80620C88 3 Bytes [0E, 56, 80]
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 48 80620CA9 3 Bytes [0E, 56, 80]
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 6C 80620CCD 3 Bytes [0E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!IoAttachDevice + 52 80620E31 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!IoAttachDevice + CE 80620EAD 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!IoAttachDevice + 289 80621068 3 Bytes [0B, 56, 80] {OR EDX, [ESI-0x80]}
PAGE ntoskrnl.exe!IoAttachDevice + 2AD 8062108C 3 Bytes [0B, 56, 80] {OR EDX, [ESI-0x80]}
PAGE ntoskrnl.exe!IoAttachDevice + 2DF 806210BE 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ZwOpenIoCompletion + 4 806210E7 3 Bytes [DF, 52, 80] {FIST WORD [EDX-0x80]}
PAGE ntoskrnl.exe!ZwOpenIoCompletion + 2C 8062110F 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwOpenIoCompletion + 48 8062112B 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!ZwQueryIoCompletion + 4 806211A8 3 Bytes [DF, 52, 80] {FIST WORD [EDX-0x80]}
PAGE ntoskrnl.exe!ZwQueryIoCompletion + 2F 806211D3 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryIoCompletion + 50 806211F4 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryIoCompletion + 7F 80621223 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!NtQueryEaFile + 4 80621334 3 Bytes [DF, 52, 80] {FIST WORD [EDX-0x80]}
PAGE ntoskrnl.exe!NtQueryEaFile + 3D 8062136D 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtQueryEaFile + 67 80621397 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtQueryEaFile + A7 806213D7 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtQueryEaFile + 210 80621540 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!NtSetEaFile + 4 8062187B 3 Bytes [DF, 52, 80] {FIST WORD [EDX-0x80]}
PAGE ntoskrnl.exe!NtSetEaFile + 2C 806218A3 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtSetEaFile + 60 806218D7 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtSetEaFile + A3 8062191A 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + 4 80621BEB 3 Bytes [DF, 52, 80] {FIST WORD [EDX-0x80]}
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + 3F 80621C26 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + 6B 80621C52 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + A3 80621C8A 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + D2 80621CB9 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 4 80622101 3 Bytes [DF, 52, 80] {FIST WORD [EDX-0x80]}
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + E 8062210B 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 56 80622153 3 Bytes [24, 62, 80]
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 78 80622175 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + A6 806221A3 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwReadFileScatter + 4 806224C3 3 Bytes [E0, 52, 80]
PAGE ntoskrnl.exe!ZwReadFileScatter + 3A 806224F9 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!ZwReadFileScatter + D3 80622592 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwReadFileScatter + 113 806225D2 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwReadFileScatter + 18F 8062264E 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!IoAssignResources + 336 80624B59 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!IoAssignResources + 41B 80624C3E 3 Bytes [4E, 62, 80]
PAGE ntoskrnl.exe!IoAssignResources + 425 80624C48 3 Bytes [4E, 62, 80]
PAGE ntoskrnl.exe!IoAssignResources + 43E 80624C61 3 Bytes [11, 56, 80] {ADC [ESI-0x80], EDX}
PAGE ntoskrnl.exe!IoAssignResources + 488 80624CAB 3 Bytes [4E, 62, 80]
PAGE ...
PAGE ntoskrnl.exe!IoPnPDeliverServicePowerNotification + 8C 806253A2 3 Bytes [15, 56, 80]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 30 80625433 3 Bytes [55, 50, 80]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 51 80625454 3 Bytes [55, 50, 80]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 6E 80625471 3 Bytes CALL BBE2A4CB
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 11A 8062551D 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 136 80625539 3 Bytes [16, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!KeRemoveSystemServiceTable + 16 8062A094 3 Bytes [25, 56, 80]
PAGE ntoskrnl.exe!KeRemoveSystemServiceTable + 1E 8062A09C 3 Bytes [24, 56, 80]
PAGE ntoskrnl.exe!KeRemoveSystemServiceTable + 2A 8062A0A8 3 Bytes [24, 56, 80]
PAGE ntoskrnl.exe!KeRemoveSystemServiceTable + 30 8062A0AE 3 Bytes [24, 56, 80]
PAGE ntoskrnl.exe!KeRemoveSystemServiceTable + 36 8062A0B4 3 Bytes CALL 09E2F6DD
PAGE ...
PAGE ntoskrnl.exe!KeSetTimeUpdateNotifyRoutine + 3 8062A0EE 3 Bytes [25, 56, 80]
PAGE ntoskrnl.exe!KeSetTimeUpdateNotifyRoutine + 24 8062A10F 3 Bytes [BA, 55, 80]
PAGE ntoskrnl.exe!KeSetTimeUpdateNotifyRoutine + 57 8062A142 3 Bytes [BA, 55, 80]
PAGE ntoskrnl.exe!KeSetTimeUpdateNotifyRoutine + 67 8062A152 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
PAGE ntoskrnl.exe!KeSetTimeUpdateNotifyRoutine + B9 8062A1A4 3 Bytes [82, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryInformationPort + 4 8062B0D9 3 Bytes [E1, 52, 80]
PAGE ntoskrnl.exe!ZwQueryInformationPort + 3A 8062B10F 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryInformationPort + 5B 8062B130 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!ZwQueryInformationPort + 7E 8062B153 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!ZwReplyWaitReplyPort + 4 8062B1B8 3 Bytes [E1, 52, 80]
PAGE ntoskrnl.exe!ZwReplyWaitReplyPort + 37 8062B1EB 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwReplyWaitReplyPort + C0 8062B274 3 Bytes [2F, 56, 80]
PAGE ntoskrnl.exe!ZwReplyWaitReplyPort + 111 8062B2C5 3 Bytes [BB, 55, 80]
PAGE ntoskrnl.exe!ZwReplyWaitReplyPort + 14A 8062B2FE 3 Bytes [2E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!MmRemovePhysicalMemory + 2E 8062B6FD 3 Bytes [77, 56, 80]
PAGE ntoskrnl.exe!MmRemovePhysicalMemory + 52 8062B721 3 Bytes [35, 56, 80]
PAGE ntoskrnl.exe!MmRemovePhysicalMemory + 5E 8062B72D 3 Bytes [78, 56, 80]
PAGE ntoskrnl.exe!MmRemovePhysicalMemory + 7A 8062B749 3 Bytes [78, 56, 80]
PAGE ntoskrnl.exe!MmRemovePhysicalMemory + A3 8062B772 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!MmAddVerifierThunks + A 8062B800 3 Bytes [77, 56, 80]
PAGE ntoskrnl.exe!MmAddVerifierThunks + 7B 8062B871 3 Bytes [35, 56, 80]
PAGE ntoskrnl.exe!MmAddVerifierThunks + B8 8062B8AE 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!MmAddVerifierThunks + DB 8062B8D1 3 Bytes [34, 56, 80]
PAGE ntoskrnl.exe!MmAddVerifierThunks + F1

PAGE ...
PAGE ntoskrnl.exe!MmFreeMappingAddress + 63 8062C642 3 Bytes [BC, 55, 80]
PAGE ntoskrnl.exe!MmSetBankedSection + 14 8062C6A5 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!MmSetBankedSection + 46 8062C6D7 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!MmSetBankedSection + 133 8062C7C4 3 Bytes [7A, 55, 80]
PAGE ntoskrnl.exe!MmSetBankedSection + 192 8062C823 3 Bytes [83, 4D, 80]
PAGE ntoskrnl.exe!MmSetBankedSection + 1DC 8062C86D 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!MmAllocateNonCachedMemory + A3 8062CA33 3 Bytes [7B, 55, 80]
PAGE ntoskrnl.exe!MmAllocateNonCachedMemory + AB 8062CA3B 3 Bytes [7A, 55, 80]
PAGE ntoskrnl.exe!MmAllocateNonCachedMemory + C2 8062CA52 3 Bytes [BC, 55, 80]
PAGE ntoskrnl.exe!MmProbeAndLockProcessPages + 4 8062CB20 3 Bytes [E2, 52, 80]
PAGE ntoskrnl.exe!MmProbeAndLockProcessPages + BA 8062CBD6 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!MmProbeAndLockProcessPages + F5 8062CC11 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!MmProbeAndLockProcessPages + 10F 8062CC2B 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!MmProbeAndLockProcessPages + 1BC 8062CCD8 3 Bytes [E2, 52, 80]
PAGE ...
PAGE ntoskrnl.exe!MmMapViewInSystemSpace + D 8062D394 3 Bytes [33, 56, 80] {XOR EDX, [ESI-0x80]}
PAGE ntoskrnl.exe!MmUnmapViewInSystemSpace + A 8062D3BE 3 Bytes [33, 56, 80] {XOR EDX, [ESI-0x80]}
PAGE ntoskrnl.exe!ZwExtendSection + 4 8062D42D 3 Bytes [E2, 52, 80]
PAGE ntoskrnl.exe!ZwExtendSection + 2B 8062D454 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwExtendSection + 98 8062D4C1 3 Bytes [7C, 56, 80]
PAGE ntoskrnl.exe!ZwExtendSection + 1EE 8062D617 3 Bytes [79, 56, 80]
PAGE ntoskrnl.exe!ZwExtendSection + 257 8062D680 3 Bytes [79, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwMapUserPhysicalPages + 9 8062DAD7 3 Bytes [E2, 52, 80]
PAGE ntoskrnl.exe!ZwMapUserPhysicalPages + E 8062DADC 3 Bytes [2E, 4E, 80]
PAGE ntoskrnl.exe!ZwMapUserPhysicalPages + C3 8062DB91 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwMapUserPhysicalPages + 11F 8062DBED 3 Bytes [7A, 55, 80]
PAGE ntoskrnl.exe!ZwMapUserPhysicalPages + 14E 8062DC1C 3 Bytes [80, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwMapUserPhysicalPagesScatter + 9 8062DF30 3 Bytes [E2, 52, 80]
PAGE ntoskrnl.exe!ZwMapUserPhysicalPagesScatter + E 8062DF35 3 Bytes [2E, 4E, 80]
PAGE ntoskrnl.exe!ZwMapUserPhysicalPagesScatter + A6 8062DFCD 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwMapUserPhysicalPagesScatter + 130 8062E057 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwMapUserPhysicalPagesScatter + 194 8062E0BB 3 Bytes [7A, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwAllocateUserPhysicalPages + 4 8062E476 3 Bytes [E2, 52, 80]
PAGE ntoskrnl.exe!ZwAllocateUserPhysicalPages + 2C 8062E49E 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwAllocateUserPhysicalPages + 8E 8062E500 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwAllocateUserPhysicalPages + AF 8062E521 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwAllocateUserPhysicalPages + B5 8062E527 3 Bytes [AC, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwFreeUserPhysicalPages + 9 8062E830 3 Bytes CALL E8E33B17
PAGE ntoskrnl.exe!ZwFreeUserPhysicalPages + E 8062E835 3 Bytes [2E, 4E, 80]
PAGE ntoskrnl.exe!ZwFreeUserPhysicalPages + 4E 8062E875 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwFreeUserPhysicalPages + 186 8062E9AD 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwFreeUserPhysicalPages + 215 8062EA3C 3 Bytes [97, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwFlushWriteBuffer + 3 8062ECD4 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!ZwUnlockVirtualMemory + 4 8062ED49 3 Bytes [E3, 52, 80]
PAGE ntoskrnl.exe!ZwUnlockVirtualMemory + 3F 8062ED84 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwUnlockVirtualMemory + 4F 8062ED94 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwUnlockVirtualMemory + 74 8062EDB9 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwUnlockVirtualMemory + 9A 8062EDDF 3 Bytes [97, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!PoShutdownBugCheck + 46 80632BCD 3 Bytes [C4, 55, 80] {LES EDX, DWORD [EBP-0x80]}
PAGE ntoskrnl.exe!PoShutdownBugCheck + AC 80632C33 3 Bytes [C4, 55, 80] {LES EDX, DWORD [EBP-0x80]}
PAGE ntoskrnl.exe!PoShutdownBugCheck + DA 80632C61 3 Bytes [C4, 55, 80] {LES EDX, DWORD [EBP-0x80]}
PAGE ntoskrnl.exe!PoShutdownBugCheck + 133 80632CBA 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!PoShutdownBugCheck + 19C 80632D23 3 Bytes [A2, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwInitiatePowerAction + 4 806339F7 3 Bytes CALL 68E38CDF
PAGE ntoskrnl.exe!ZwInitiatePowerAction + E 80633A01 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!ZwInitiatePowerAction + 29 80633A1C 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwInitiatePowerAction + 2F 80633A22 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwRequestDeviceWakeup + 21 80633BBC 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!ZwIsSystemResumeAutomatic + 2 80633C10 3 Bytes [8E, 56, 80] {MOV SS, [ESI-0x80]}
PAGE ntoskrnl.exe!ZwGetDevicePowerState + 4 80633C2B 3 Bytes [E4, 52, 80]
PAGE ntoskrnl.exe!ZwGetDevicePowerState + 26 80633C4D 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwGetDevicePowerState + 7D 80633CA4 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!ZwGetDevicePowerState + 27A 80633EA1 3 Bytes [8E, 56, 80] {MOV SS, [ESI-0x80]}
PAGE ntoskrnl.exe!ZwGetDevicePowerState + 285 80633EAC 3 Bytes [7E, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryPortInformationProcess + 61 80634FE6 3 Bytes [E4, 52, 80]
PAGE ntoskrnl.exe!ZwQueryPortInformationProcess + 85 8063500A 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsSetCreateProcessNotifyRoutine + 11 806351A4 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsSetCreateProcessNotifyRoutine + 51 806351E4 3 Bytes [98, 56, 80]
PAGE ntoskrnl.exe!PsSetCreateProcessNotifyRoutine + 60 806351F3 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsSetCreateProcessNotifyRoutine + 8B 8063521E 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsSetCreateProcessNotifyRoutine + BE 80635251 3 Bytes [98, 56, 80]
PAGE ntoskrnl.exe!PsSetCreateThreadNotifyRoutine + 22 8063528D 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsSetCreateThreadNotifyRoutine + 53 806352BE 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsRemoveCreateThreadNotifyRoutine + C 806352E0 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsRemoveCreateThreadNotifyRoutine + 51 80635325 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsRemoveCreateThreadNotifyRoutine + 60 80635334 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsSetLoadImageNotifyRoutine + 22 806353AB 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsSetLoadImageNotifyRoutine + 53 806353DC 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsSetLoadImageNotifyRoutine + 5E 806353E7 3 Bytes [A2, 69, 80]
PAGE ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine + C 80635407 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine + 51 8063544C 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine + 60 8063545B 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine + 8B 80635486 3 Bytes [A2, 69, 80]
PAGE ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine + 98 80635493 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsCreateSystemProcess + F 806354FE 3 Bytes [A2, 69, 80]
PAGE ntoskrnl.exe!PsGetContextThread + 7 80635532 3 Bytes [E4, 52, 80]
PAGE ntoskrnl.exe!PsGetContextThread + 11 8063553C 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!PsGetContextThread + 65 80635590 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!PsGetContextThread + E4 8063560F 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!PsGetContextThread + 112 8063563D 3 Bytes [80, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwGetContextThread + 22 80635773 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsSetContextThread + 7 806357CA 3 Bytes [E4, 52, 80]
PAGE ntoskrnl.exe!PsSetContextThread + 11 806357D4 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!PsSetContextThread + 4C 8063580F 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!PsSetContextThread + F5 806358B8 3 Bytes [80, 4D, 80]
PAGE ntoskrnl.exe!PsSetContextThread + 11B 806358DE 3 Bytes [80, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwSetContextThread + 22 80635999 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsIsThreadImpersonating + 99 80635B1D 3 Bytes [BA, 55, 80]
PAGE ntoskrnl.exe!PsIsThreadImpersonating + B4 80635B38 3 Bytes [BA, 55, 80]
PAGE ntoskrnl.exe!PsIsThreadImpersonating + C2 80635B46 3 Bytes [5B, 63, 80]
PAGE ntoskrnl.exe!PsIsThreadImpersonating + 159 80635BDD 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!PsIsThreadImpersonating + 161 80635BE5 3 Bytes [96, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwSetLdtEntries + 19 8063669C 3 Bytes [E5, 52, 80]
PAGE ntoskrnl.exe!ZwSetLdtEntries + 130 806367B3 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ZwSetLdtEntries + 2D0 80636953 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ZwSetLdtEntries + 374 806369F7 3 Bytes [E5, 52, 80]
PAGE ntoskrnl.exe!ZwSetLdtEntries + 3B3 80636A36 3 Bytes [96, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwSuspendThread + 4 8063762F 3 Bytes [E5, 52, 80]
PAGE ntoskrnl.exe!ZwSuspendThread + 30 8063765B 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwSuspendThread + 4C 80637677 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwSuspendProcess + 22 80637731 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwResumeProcess + 22 8063778C 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwAlertResumeThread + 4 806377CE 3 Bytes [E5, 52, 80]
PAGE ntoskrnl.exe!ZwAlertResumeThread + 30 806377FA 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwAlertResumeThread + 4C 80637816 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwAlertResumeThread + F1 806378BB 3 Bytes [E5, 52, 80]
PAGE ntoskrnl.exe!ZwAlertResumeThread + 144 8063790E 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwIsProcessInJob + 21 80637B48 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwIsProcessInJob + 84 80637BAB 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ZwIsProcessInJob + CA 80637BF1 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ZwIsProcessInJob + D0 80637BF7 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ZwIsProcessInJob + 12D 80637C54 3 Bytes [96, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwCreateJobSet + 4 80637C77 3 Bytes [E5, 52, 80]
PAGE ntoskrnl.exe!ZwCreateJobSet + 87 80637CFA 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateJobSet + D5 80637D48 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ZwCreateJobSet + 12A 80637D9D 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ZwCreateJobSet + 130 80637DA3 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwOpenJobObject + 4 80637ECF 3 Bytes CALL 68E3D1B9
PAGE ntoskrnl.exe!ZwOpenJobObject + 29 80637EF4 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwOpenJobObject + 6B 80637F36 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ZwTerminateJobObject + 24 80638061 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ZwTerminateJobObject + 78 806380B5 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ZwTerminateJobObject + D5 80638112 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ZwTerminateJobObject + E2 8063811F 3 Bytes [96, 56, 80]
PAGE ntoskrnl.exe!ZwTerminateJobObject + 118 80638155 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlCustomCPToUnicodeN + 42 80638ACC 3 Bytes [8C, 63, 80] {MOV WORD [EBX-0x80], FS}
PAGE ntoskrnl.exe!RtlCustomCPToUnicodeN + 1A2 80638C2C 3 Bytes [8B, 63, 80] {MOV ESP, [EBX-0x80]}
PAGE ntoskrnl.exe!RtlCustomCPToUnicodeN + 1A6 80638C30 3 Bytes [8B, 63, 80] {MOV ESP, [EBX-0x80]}
PAGE ntoskrnl.exe!RtlCustomCPToUnicodeN + 1AA 80638C34 3 Bytes [8B, 63, 80] {MOV ESP, [EBX-0x80]}
PAGE ntoskrnl.exe!RtlCustomCPToUnicodeN + 1AE 80638C38 3 Bytes [8B, 63, 80] {MOV ESP, [EBX-0x80]}
PAGE ...
PAGE ntoskrnl.exe!RtlUnicodeToCustomCPN + 51 80638CC6 3 Bytes [8D, 63, 80] {LEA ESP, [EBX-0x80]}
PAGE ntoskrnl.exe!RtlUnicodeToCustomCPN + 16C 80638DE1 3 Bytes [8D, 63, 80] {LEA ESP, [EBX-0x80]}
PAGE ntoskrnl.exe!RtlUnicodeToCustomCPN + 170 80638DE5 3 Bytes [8D, 63, 80] {LEA ESP, [EBX-0x80]}
PAGE ntoskrnl.exe!RtlUnicodeToCustomCPN + 174 80638DE9 3 Bytes [8D, 63, 80] {LEA ESP, [EBX-0x80]}
PAGE ntoskrnl.exe!RtlUnicodeToCustomCPN + 178 80638DED 3 Bytes [8D, 63, 80] {LEA ESP, [EBX-0x80]}
PAGE ...
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToCustomCPN + 51 80638E7C 3 Bytes [96, 63, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToCustomCPN + 8D 80638EB8 3 Bytes CALL 0BE3F85F
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToCustomCPN + F8 80638F23 3 Bytes CALL 0BE3F8CA
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToCustomCPN + 163 80638F8E 3 Bytes CALL 0BE3F935
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToCustomCPN + 1CE 80638FF9 3 Bytes CALL 0BE3F9A0
PAGE ...
PAGE ntoskrnl.exe!PfxRemovePrefix + 9C 8063977F 3 Bytes [A5, 69, 80]
PAGE ntoskrnl.exe!PfxRemovePrefix + B8 8063979B 3 Bytes [C4, 56, 80] {LES EDX, DWORD [ESI-0x80]}
PAGE ntoskrnl.exe!PfxRemovePrefix + 19B 8063987E 3 Bytes [A5, 69, 80]
PAGE ntoskrnl.exe!PfxRemovePrefix + 1B9 8063989C 3 Bytes [C4, 56, 80] {LES EDX, DWORD [ESI-0x80]}
PAGE ntoskrnl.exe!PfxRemovePrefix + 1F6 806398D9 3 Bytes [C4, 56, 80] {LES EDX, DWORD [ESI-0x80]}
PAGE ntoskrnl.exe!RtlDestroyAtomTable + 4 80639D7F 3 Bytes [E6, 52, 80]
PAGE ntoskrnl.exe!RtlEmptyAtomTable + 4 80639E41 3 Bytes [E6, 52, 80]
PAGE ntoskrnl.exe!RtlEmptyAtomTable + EB 80639F28 3 Bytes [E6, 52, 80]
PAGE ntoskrnl.exe!RtlDeleteRange + F9 8063A22F 3 Bytes [C5, 55, 80] {LDS EDX, DWORD [EBP-0x80]}
PAGE ntoskrnl.exe!RtlZeroHeap + 4 8063A319 3 Bytes [E6, 52, 80]
PAGE ntoskrnl.exe!RtlDestroyHeap + 10 8063A503 3 Bytes [A5, 63, 80]
PAGE ntoskrnl.exe!RtlSizeHeap + 47 8063A61D 3 Bytes [E6, 52, 80]
PAGE ntoskrnl.exe!RtlSizeHeap + 1AA 8063A780 3 Bytes [B1, 63, 80]
PAGE ntoskrnl.exe!RtlSizeHeap + 1B8 8063A78E 3 Bytes [BA, 55, 80]
PAGE ntoskrnl.exe!RtlSizeHeap + 260 8063A836 3 Bytes [01, 4F, 80] {ADD [EDI-0x80], ECX}
PAGE ntoskrnl.exe!RtlSizeHeap + 26F 8063A845 3 Bytes [01, 4F, 80] {ADD [EDI-0x80], ECX}
PAGE ...
PAGE ntoskrnl.exe!RtlDowncaseUnicodeString + 21 8063B4DC 3 Bytes [AE, 57, 80]
PAGE ntoskrnl.exe!RtlDowncaseUnicodeString + 7A 8063B535 3 Bytes [A2, 69, 80]
PAGE ntoskrnl.exe!RtlDowncaseUnicodeString + 106 8063B5C1 3 Bytes [A2, 69, 80]
PAGE ntoskrnl.exe!RtlAnsiStringToUnicodeSize + 5A 8063B695 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToAnsiString + B 8063B9B8 3 Bytes [A5, 69, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToAnsiString + 48 8063B9F5 3 Bytes [AE, 57, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToAnsiString + 8E 8063BA3B 3 Bytes [EC, 56, 80]
PAGE ntoskrnl.exe!RtlOemStringToCountedUnicodeString + B 8063BA82 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlOemStringToCountedUnicodeString + 5D 8063BAD4 3 Bytes [AE, 57, 80]
PAGE ntoskrnl.exe!RtlOemStringToCountedUnicodeString + A3 8063BB1A 3 Bytes [EC, 56, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToCountedOemString + 8 8063BB48 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToCountedOemString + 60 8063BBA0 3 Bytes [AE, 57, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToCountedOemString + BB 8063BBFB 3 Bytes [EC, 56, 80]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToCountedOemString + E3 8063BC23 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlEqualLuid + 576 8063C3BB 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlEqualLuid + 599 8063C3DE 3 Bytes [58, 5E, 80]
PAGE ntoskrnl.exe!RtlEqualLuid + 59F 8063C3E4 3 Bytes [58, 5E, 80]
PAGE ntoskrnl.exe!RtlEqualLuid + 5A7 8063C3EC 3 Bytes [58, 5E, 80]
PAGE ntoskrnl.exe!RtlCharToInteger + 4 8063C5FB 3 Bytes [E6, 52, 80]
PAGE ntoskrnl.exe!RtlCharToInteger + 153 8063C74A 3 Bytes CALL 68E41A35
PAGE ntoskrnl.exe!RtlCharToInteger + 15D 8063C754 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlCharToInteger + 246 8063C83D 3 Bytes [A5, 58, 80]
PAGE ntoskrnl.exe!RtlCharToInteger + 279 8063C870 3 Bytes [A5, 58, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlInt64ToUnicodeString + A 8063CB0B 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlSetTimeZoneInformation + 26 8063CD25 3 Bytes [30, 5C, 80]
PAGE ntoskrnl.exe!RtlSetTimeZoneInformation + 55 8063CD54 3 Bytes [30, 5C, 80]
PAGE ntoskrnl.exe!RtlSetTimeZoneInformation + 75 8063CD74 3 Bytes [30, 5C, 80]
PAGE ntoskrnl.exe!RtlSetTimeZoneInformation + 91 8063CD90 3 Bytes [31, 5C, 80]
PAGE ntoskrnl.exe!RtlSetTimeZoneInformation + B7 8063CDB6 3 Bytes [31, 5C, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlDecompressBuffer + 38 8063CE55 3 Bytes [CE, 63, 80]
PAGE ntoskrnl.exe!RtlDecompressBuffer + 50 8063CE6D 3 Bytes [ED, 63, 80]
PAGE ntoskrnl.exe!RtlDecompressBuffer + 54 8063CE71 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGE ntoskrnl.exe!RtlDecompressBuffer + 58 8063CE75 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGE ntoskrnl.exe!RtlDecompressBuffer + 5C 8063CE79 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGE ...
PAGE ntoskrnl.exe!RtlDescribeChunk + 35 8063CECA 3 Bytes [CE, 63, 80]
PAGE ntoskrnl.exe!RtlDescribeChunk + 4C 8063CEE1 3 Bytes [EF, 63, 80]
PAGE ntoskrnl.exe!RtlDescribeChunk + 50 8063CEE5 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGE ntoskrnl.exe!RtlDescribeChunk + 54 8063CEE9 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGE ntoskrnl.exe!RtlDescribeChunk + 58 8063CEED 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGE ...
PAGE ntoskrnl.exe!RtlReserveChunk + 35 8063CF37 3 Bytes [CF, 63, 80]
PAGE ntoskrnl.exe!RtlReserveChunk + 4F 8063CF51 3 Bytes [EF, 63, 80]
PAGE ntoskrnl.exe!RtlReserveChunk + 53 8063CF55 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGE ntoskrnl.exe!RtlReserveChunk + 57 8063CF59 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGE ntoskrnl.exe!RtlReserveChunk + 5B 8063CF5D 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGE ...
PAGE ntoskrnl.exe!RtlCompressChunks + 193 8063D2CE 3 Bytes [37, 54, 80]
PAGE ntoskrnl.exe!RtlCompressChunks + 1CA 8063D305 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlCompressChunks + 2AA 8063D3E5 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlCreateSystemVolumeInformationFolder + B 8063D643 3 Bytes [D7, 63, 80]
PAGE ntoskrnl.exe!RtlIsValidOemCharacter + 9 8063D857 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlIsValidOemCharacter + 1B 8063D869 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlIsValidOemCharacter + 26 8063D874 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlIsValidOemCharacter + 4C 8063D89A 3 Bytes CALL 8FE44241
PAGE ntoskrnl.exe!RtlIsValidOemCharacter + 8C 8063D8DA 3 Bytes [A7, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!RtlIsNameLegalDOS8Dot3 + A 8063D99C 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlIsNameLegalDOS8Dot3 + A4 8063DA36 3 Bytes [A7, 69, 80]
PAGE ntoskrnl.exe!RtlIsNameLegalDOS8Dot3 + B3 8063DA45 3 Bytes [C4, 56, 80] {LES EDX, DWORD [ESI-0x80]}
PAGE ntoskrnl.exe!RtlIsNameLegalDOS8Dot3 + FB 8063DA8D 3 Bytes [E2, 5D, 80]
PAGE ntoskrnl.exe!RtlLockBootStatusData + D 8063DB29 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!RtlLockBootStatusData + 26 8063DB42 3 Bytes [DB, 63, 80]
PAGE ntoskrnl.exe!RtlLockBootStatusData + 46 8063DB62 3 Bytes [DC, 63, 80] {FSUB QWORD [EBX-0x80]}
PAGE ntoskrnl.exe!RtlTimeToElapsedTimeFields + 17E 8063DF13 3 Bytes [DF, 63, 80] {FBLD TBYTE [EBX-0x80]}
PAGE ntoskrnl.exe!RtlTimeToElapsedTimeFields + 310 8063E0A5 3 Bytes JMP 758063E1
PAGE ntoskrnl.exe!RtlTimeToElapsedTimeFields + 317 8063E0AC 3 Bytes [E1, 63, 80]
PAGE ntoskrnl.exe!RtlTimeToElapsedTimeFields + 335 8063E0CA 3 Bytes [E1, 63, 80]
PAGE ntoskrnl.exe!RtlTimeToElapsedTimeFields + 379 8063E10E 3 Bytes [E2, 63, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwAdjustGroupsToken + 4 8063F4B7 3 Bytes [E7, 52, 80]
PAGE ntoskrnl.exe!ZwAdjustGroupsToken + 59 8063F50C 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwAdjustGroupsToken + 79 8063F52C 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwAdjustGroupsToken + 107 8063F5BA 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!ZwAdjustGroupsToken + 1C4 8063F677 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!SeAssignSecurityEx + 3CE 80640122 3 Bytes [7B, 57, 80]
PAGE ntoskrnl.exe!SeAssignSecurityEx + 434 80640188 3 Bytes [7B, 57, 80]
PAGE ntoskrnl.exe!SeAssignSecurityEx + 48A 806401DE 3 Bytes [AB, 69, 80]
PAGE ntoskrnl.exe!SeAssignSecurityEx + 4D4 80640228 3 Bytes [7B, 57, 80]
PAGE ntoskrnl.exe!SeAssignSecurityEx + 4F8 8064024C 3 Bytes [AE, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!SeAuditHardLinkCreation + BF 8064075E 3 Bytes [7B, 57, 80]
PAGE ntoskrnl.exe!SeAuditHardLinkCreation + F6 80640795 3 Bytes [7B, 57, 80]
PAGE ntoskrnl.exe!SeAuditHardLinkCreation + 62D 80640CCC 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!SeAuditHardLinkCreation + 9BE 8064105D 3 Bytes [7B, 57, 80]
PAGE ntoskrnl.exe!SeAuditHardLinkCreation + C9A 80641339 3 Bytes [7B, 57, 80]
PAGE ...
PAGE ntoskrnl.exe!SeCloseObjectAuditAlarm + 2B 80641785 3 Bytes [7B, 57, 80]
PAGE ntoskrnl.exe!SeDeleteObjectAuditAlarm + 25 806417CC 3 Bytes [7B, 57, 80]
PAGE ntoskrnl.exe!SeDeleteObjectAuditAlarm + 4D2 80641C79 3 Bytes [AB, 69, 80]
PAGE ntoskrnl.exe!SeAuditingFileEvents + A 80641D4F 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!SeAuditingFileEvents + 12 80641D57 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!SeAuditingFileEvents + 21 80641D66 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!SeAuditingFileEvents + 2D 80641D72 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!SeAuditingFileEvents + 39 80641D7E 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!SeAuditingHardLinkEvents + 2C 80641DC9 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!SeAuditingHardLinkEvents + 34 80641DD1 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!SeAuditingHardLinkEvents + 41 80641DDE 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!ZwDeleteObjectAuditAlarm + 4 80641F29 3 Bytes [E7, 52, 80]
PAGE ntoskrnl.exe!SeOpenObjectForDeleteAuditAlarm + 1AB 8064220E 3 Bytes [7B, 57, 80]
PAGE ntoskrnl.exe!SeOpenObjectForDeleteAuditAlarm + 1D7 8064223A 3 Bytes [7B, 57, 80]
PAGE ntoskrnl.exe!SeOpenObjectForDeleteAuditAlarm + 3C2 80642425 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!SeOpenObjectForDeleteAuditAlarm + 3CD 80642430 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!SeOpenObjectForDeleteAuditAlarm + 43B 8064249E 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!SeImpersonateClient + 23 80642641 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!SeImpersonateClient + 6C 8064268A 3 Bytes [29, 64, 80]
PAGE ntoskrnl.exe!SeImpersonateClient + 183 806427A1 3 Bytes [29, 64, 80]
PAGE ntoskrnl.exe!SeUnregisterLogonSessionTerminatedRoutine + 27 806429DF 3 Bytes [CD, 55, 80]
PAGE ntoskrnl.exe!SeUnregisterLogonSessionTerminatedRoutine + 34 806429EC 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!SeUnregisterLogonSessionTerminatedRoutine + 3B 806429F3 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!SeUnregisterLogonSessionTerminatedRoutine + 7A 80642A32 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!SeUnregisterLogonSessionTerminatedRoutine + AE 80642A66 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!SeMarkLogonSessionForTerminationNotification + 8 80642A87 3 Bytes [AF, 69, 80]
PAGE ntoskrnl.exe!SeMarkLogonSessionForTerminationNotification + 29 80642AA8 3 Bytes [CC, 55, 80]
PAGE ntoskrnl.exe!SeMarkLogonSessionForTerminationNotification + 7A 80642AF9 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!SeMarkLogonSessionForTerminationNotification + B5 80642B34 3 Bytes [CD, 55, 80]
PAGE ntoskrnl.exe!SeMarkLogonSessionForTerminationNotification + C2 80642B41 3 Bytes [AE, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!SeTokenIsAdmin + F7 80642ECE 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!SeTokenIsAdmin + 323 806430FA 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!SeTokenIsAdmin + 32C 80643103 3 Bytes [31, 64, 80]
PAGE ntoskrnl.exe!SeTokenIsAdmin + 381 80643158 3 Bytes [AE, 69, 80]
PAGE ntoskrnl.exe!SeTokenIsAdmin + 38E 80643165 3 Bytes [32, 64, 80]
PAGE ...
PAGE ntoskrnl.exe!WmiStopTrace + 6A 80645C51 3 Bytes [EB, 52, 80]
PAGE ntoskrnl.exe!WmiStopTrace + 9C 80645C83 3 Bytes [A0, 56, 80]
PAGE ntoskrnl.exe!WmiStopTrace + F2 80645CD9 3 Bytes [A0, 56, 80]
PAGE ntoskrnl.exe!WmiStopTrace + 145 80645D2C 3 Bytes [CE, 55, 80]
PAGE ntoskrnl.exe!WmiStopTrace + 156 80645D3D 3 Bytes [CE, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!WmiUpdateTrace + 4 80645E08 3 Bytes [EB, 52, 80]
PAGE ntoskrnl.exe!WmiUpdateTrace + F1 80645EF5 3 Bytes [EB, 52, 80]
PAGE ntoskrnl.exe!WmiUpdateTrace + 1B2 80645FB6 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!WmiUpdateTrace + 1DD 80645FE1 3 Bytes [0D, 56, 80]
PAGE ntoskrnl.exe!WmiUpdateTrace + 38C 80646190 3 Bytes [CE, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!WmiFlushTrace + 71 806464F8 3 Bytes [A0, 56, 80]
PAGE ntoskrnl.exe!WmiQueryTraceInformation + 7 8064651B 3 Bytes [EB, 52, 80]
PAGE ntoskrnl.exe!WmiQueryTraceInformation + 11 80646525 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!WmiQueryTraceInformation + 47 8064655B 3 Bytes [69, 64, 80]
PAGE ntoskrnl.exe!WmiQueryTraceInformation + 1C4 806466D8 3 Bytes [A0, 56, 80]
PAGE ntoskrnl.exe!WmiQueryTraceInformation + 1D2 806466E6 3 Bytes [A1, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!IoWMIAllocateInstanceIds + C 80646A46 3 Bytes [9F, 56, 80]
PAGE ntoskrnl.exe!IoWMIAllocateInstanceIds + 27 80646A61 3 Bytes [A2, 56, 80]
PAGE ntoskrnl.exe!IoWMIAllocateInstanceIds + 86 80646AC0 3 Bytes [A2, 56, 80]
PAGE ntoskrnl.exe!IoWMIAllocateInstanceIds + B2 80646AEC 3 Bytes [9F, 56, 80]
PAGE ntoskrnl.exe!IoWMIAllocateInstanceIds + D0 80646B0A 3 Bytes [9F, 56, 80]
PAGE ntoskrnl.exe!IoWMISuggestInstanceName + E 80646B2F 3 Bytes [9F, 56, 80]
PAGE ntoskrnl.exe!IoWMISuggestInstanceName + 177 80646C98 3 Bytes [6D, 64, 80]
PAGE ntoskrnl.exe!IoWMIQueryAllDataMultiple + A 80646D7C 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!IoWMIQuerySingleInstanceMultiple + A 80646DFE 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!IoWMIExecuteMethod + 1B8 806471E7 3 Bytes [BA, 55, 80]
PAGE ntoskrnl.exe!IoWMIExecuteMethod + 28C 806472BB 3 Bytes [BA, 55, 80]
PAGE ntoskrnl.exe!IoWMIExecuteMethod + 2D3 80647302 3 Bytes [BA, 55, 80]
PAGE ntoskrnl.exe!IoWMIExecuteMethod + 317 80647346 3 Bytes [A1, 56, 80]
PAGE ntoskrnl.exe!IoWMIExecuteMethod + 320 8064734F 3 Bytes [A1, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ExReleaseRundownProtectionEx + DE 8064C6FD 3 Bytes [78, 55, 80]
PAGE ntoskrnl.exe!ExReleaseRundownProtectionEx + 117 8064C736 3 Bytes [BA, 55, 80]
PAGE ntoskrnl.exe!ExReleaseRundownProtectionEx + 324 8064C943 3 Bytes [A9, 56, 80]
PAGE ntoskrnl.exe!ExReleaseRundownProtectionEx + 32C 8064C94B 3 Bytes [A9, 56, 80]
PAGE ntoskrnl.exe!ExReleaseRundownProtectionEx + 336 8064C955 3 Bytes [A9, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!NtShutdownSystem + 5F 8064E63E 3 Bytes [A6, 56, 80]
PAGE ntoskrnl.exe!NtShutdownSystem + C2 8064E6A1 3 Bytes [A9, 56, 80]
PAGE ntoskrnl.exe!NtShutdownSystem + D2 8064E6B1 3 Bytes [B0, 69, 80]
PAGE ntoskrnl.exe!NtShutdownSystem + E6 8064E6C5 3 Bytes [B0, 69, 80]
PAGE ntoskrnl.exe!NtShutdownSystem + EC 8064E6CB 3 Bytes [B0, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ExSetTimerResolution + 10 8064E893 3 Bytes [24, 56, 80]
PAGE ntoskrnl.exe!ExSetTimerResolution + 1F 8064E8A2 3 Bytes [B1, 69, 80]
PAGE ntoskrnl.exe!ExSetTimerResolution + 27 8064E8AA 3 Bytes [B1, 69, 80]
PAGE ntoskrnl.exe!ExSetTimerResolution + 2F 8064E8B2 3 Bytes [B0, 69, 80]
PAGE ntoskrnl.exe!ExSetTimerResolution + 3E 8064E8C1 3 Bytes [A0, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwSetSystemTime + 4 8064EE97 3 Bytes [ED, 52, 80]
PAGE ntoskrnl.exe!ZwSetSystemTime + 2E 8064EEC1 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwSetSystemTime + 34 8064EEC7 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwSetSystemTime + 5F 8064EEF2 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwSetSystemTime + 6A 8064EEFD 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwRaiseHardError + 4 8064F1E3 3 Bytes [EE, 52, 80]
PAGE ntoskrnl.exe!ZwRaiseHardError + 4C 8064F22B 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwRaiseHardError + 83 8064F262 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwRaiseHardError + CE 8064F2AD 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwRaiseHardError + FA 8064F2D9 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwQuerySemaphore + 4 8064F4A7 3 Bytes [EE, 52, 80]
PAGE ntoskrnl.exe!ZwQuerySemaphore + 2B 8064F4CE 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQuerySemaphore + 52 8064F4F5 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQuerySemaphore + C1 8064F564 3 Bytes [A5, 56, 80]
PAGE ntoskrnl.exe!ZwQuerySemaphore + 1C2 8064F665 3 Bytes [A4, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwQuerySystemEnvironmentValue + 4 8064FC1F 3 Bytes [EE, 52, 80]
PAGE ntoskrnl.exe!ZwQuerySystemEnvironmentValue + 3D 8064FC58 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQuerySystemEnvironmentValue + 7F 8064FC9A 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQuerySystemEnvironmentValue + A1 8064FCBC 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQuerySystemEnvironmentValue + B7 8064FCD2 3 Bytes [AD, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwSetSystemEnvironmentValue + 4 8064FEBC 3 Bytes [EE, 52, 80]
PAGE ntoskrnl.exe!ZwSetSystemEnvironmentValue + 40 8064FEF8 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwSetSystemEnvironmentValue + 80 8064FF38 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwSetSystemEnvironmentValue + 99 8064FF51 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwSetSystemEnvironmentValue + D9 8064FF91 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwOpenTimer + 4 8065016F 3 Bytes [EE, 52, 80]
PAGE ntoskrnl.exe!ZwOpenTimer + 28 80650193 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwOpenTimer + 79 806501E4 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwCreateEventPair + 4 80650248 3 Bytes [EE, 52, 80]
PAGE ntoskrnl.exe!ZwCreateEventPair + 29 8065026D 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateEventPair + 77 806502BB 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwOpenEventPair + 4 80650339 3 Bytes CALL 68E5562C
PAGE ntoskrnl.exe!ZwOpenEventPair + 28 8065035D 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwOpenEventPair + 79 806503AE 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwWaitLowEventPair + 24 8065042B 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwWaitHighEventPair + 24 80650495 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwSetLowWaitHighEventPair + 23 806504FE 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwSetLowWaitHighEventPair + 3C 80650517 3 Bytes [F0, 55, 80]
PAGE ntoskrnl.exe!ZwSetHighWaitLowEventPair + 23 80650570 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwSetHighWaitLowEventPair + 3C 80650589 3 Bytes [F0, 55, 80]
PAGE ntoskrnl.exe!ZwSetLowEventPair + 22 806505E1 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwSetLowEventPair + 3B 806505FA 3 Bytes [F0, 55, 80]
PAGE ntoskrnl.exe!ZwSetHighEventPair + 22 8065064B 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwSetHighEventPair + 3B 80650664 3 Bytes [F0, 55, 80]
PAGE ntoskrnl.exe!ZwQueryMutant + 4 806506A2 3 Bytes [EF, 52, 80]
PAGE ntoskrnl.exe!ZwQueryMutant + 2F 806506CD 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryMutant + 56 806506F4 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryMutant + 85 80650723 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwCreateProfile + 4 80650869 3 Bytes [EF, 52, 80]
PAGE ntoskrnl.exe!ZwCreateProfile + B7 8065091C 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateProfile + E9 8065094E 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateProfile + F9 8065095E 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwCreateProfile + FF 80650964 3 Bytes [AC, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwStartProfile + 4 80650AB0 3 Bytes [EF, 52, 80]
PAGE ntoskrnl.exe!ZwStartProfile + 28 80650AD4 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwStartProfile + 43 80650AEF 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwStartProfile + 153 80650BFF 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwStartProfile + 18F 80650C3B 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwStopProfile + 24 80650C89 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwStopProfile + 42 80650CA7 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwQueryIntervalProfile + 4 80650D1B 3 Bytes [EF, 52, 80]
PAGE ntoskrnl.exe!ZwQueryIntervalProfile + 25 80650D3C 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwSystemDebugControl + 4 80650DC9 3 Bytes [EF, 52, 80]
PAGE ntoskrnl.exe!ZwSystemDebugControl + 30 80650DF5 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwSystemDebugControl + 36 80650DFB 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwSystemDebugControl + 71 80650E36 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwSystemDebugControl + 97 80650E5C 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwReleaseKeyedEvent + 4 8065123D 3 Bytes [EF, 52, 80]
PAGE ntoskrnl.exe!ZwReleaseKeyedEvent + 4C 80651285 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwReleaseKeyedEvent + 77 806512B0 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwReleaseKeyedEvent + 18B 806513C4 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ZwReleaseKeyedEvent + 1AB 806513E4 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwWaitForKeyedEvent + 4 806514A8 3 Bytes [EF, 52, 80]
PAGE ntoskrnl.exe!ZwWaitForKeyedEvent + 4A 806514EE 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwWaitForKeyedEvent + 74 80651518 3 Bytes [A4, 56, 80]
PAGE ntoskrnl.exe!ZwWaitForKeyedEvent + 16A 8065160E 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ZwWaitForKeyedEvent + 1F3 80651697 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!LsaRegisterLogonProcess + D 8065172E 3 Bytes [A3, 55, 80]
PAGE ntoskrnl.exe!LsaRegisterLogonProcess + 37 80651758 3 Bytes [EF, 52, 80]
PAGE ntoskrnl.exe!LsaRegisterLogonProcess + 11B 8065183C 3 Bytes [EF, 52, 80]
PAGE ntoskrnl.exe!LsaDeregisterLogonProcess + B58 8065265F 3 Bytes [A9, 55, 80]
PAGE ntoskrnl.exe!LsaDeregisterLogonProcess + B63 8065266A 3 Bytes [A9, 55, 80]
PAGE ntoskrnl.exe!LsaDeregisterLogonProcess + FC8 80652ACF 3 Bytes [F0, 52, 80]
PAGE ntoskrnl.exe!LsaDeregisterLogonProcess + 1000 80652B07 3 Bytes [A5, 55, 80]
PAGE ntoskrnl.exe!LsaDeregisterLogonProcess + 1184 80652C8B 3 Bytes [A9, 55, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwUnloadKey + 4 80654DEA 3 Bytes [F3, 52, 80]
PAGE ntoskrnl.exe!ZwUnloadKey + 23 80654E09 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwUnloadKey + 29 80654E0F 3 Bytes CALL 68E5B7C0
PAGE ntoskrnl.exe!ZwUnloadKey + 68 80654E4E 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwUnloadKey + AD 80654E93 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwUnloadKeyEx + 4 80655013 3 Bytes [F3, 52, 80]
PAGE ntoskrnl.exe!ZwUnloadKeyEx + 29 80655038 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwUnloadKeyEx + 2F 8065503E 3 Bytes CALL 68E5B9EF
PAGE ntoskrnl.exe!ZwUnloadKeyEx + 6D 8065507C 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwUnloadKeyEx + B1 806550C0 3 Bytes [7E, 56, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwSetInformationKey + 4 80655273 3 Bytes [F3, 52, 80]
PAGE ntoskrnl.exe!ZwSetInformationKey + 19 80655288 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwSetInformationKey + 21 80655290 3 Bytes [81, 55, 80]
PAGE ntoskrnl.exe!ZwSetInformationKey + 4E 806552BD 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwSetInformationKey + 76 806552E5 3 Bytes [B3, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey + 4 80655710 3 Bytes [F4, 52, 80]
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey + 14 80655720 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey + 1C 80655728 3 Bytes [81, 55, 80]
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey + 3F 8065574B 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey + 5F 8065576B 3 Bytes [B3, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryOpenSubKeys + 4 80655917 3 Bytes [F4, 52, 80]
PAGE ntoskrnl.exe!ZwQueryOpenSubKeys + 29 8065593C 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryOpenSubKeys + 3E 80655951 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryOpenSubKeys + 82 80655995 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwQueryOpenSubKeys + BF 806559D2 3 Bytes [B3, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwRenameKey + 4 80655B8C 3 Bytes [F4, 52, 80]
PAGE ntoskrnl.exe!ZwRenameKey + 35 80655BBD 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwRenameKey + 68 80655BF0 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwRenameKey + E7 80655C6F 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwRenameKey + 120 80655CA8 3 Bytes [A0, 69, 80]
PAGE ntoskrnl.exe!ZwCompactKeys + 4 80655D28 3 Bytes [F4, 52, 80]
PAGE ntoskrnl.exe!ZwCompactKeys + 25 80655D49 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwCompactKeys + 2B 80655D4F 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwCompactKeys + 83 80655DA7 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCompactKeys + E8 80655E0C 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwCompressKey + 1B 80655FAE 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwCompressKey + 21 80655FB4 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwCompressKey + 41 80655FD4 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwRestoreKey + 1D 8065609A 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwRestoreKey + 23 806560A0 3 Bytes CALL 68E5CA51
PAGE ntoskrnl.exe!ZwRestoreKey + 4C 806560C9 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwRestoreKey + B4 80656131 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwSaveKey + 1D 8065619B 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwSaveKey + 23 806561A1 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwSaveKey + 4C 806561CA 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwSaveKey + AD 8065622B 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwSaveKeyEx + 1C 80656285 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwSaveKeyEx + 22 8065628B 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwSaveKeyEx + 69 806562D2 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwSaveKeyEx + CE 80656337 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwSaveMergedKeys + 1E 806563B4 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwSaveMergedKeys + 24 806563BA 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwSaveMergedKeys + 51 806563E7 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwSaveMergedKeys + 79 8065640F 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwSaveMergedKeys + E4 8065647A 3 Bytes [B3, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwReplaceKey + 1F 80656507 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwReplaceKey + 25 8065650D 3 Bytes CALL 68E5CEBE
PAGE ntoskrnl.exe!ZwReplaceKey + 95 8065657D 3 Bytes [B3, 69, 80]
PAGE ntoskrnl.exe!ZwReplaceKey + 108 806565F0 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ZwReplaceKey + 15D 80656645 3 Bytes [B3, 69, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwCreateDebugObject + 4 806613DA 3 Bytes [F5, 52, 80]
PAGE ntoskrnl.exe!ZwCreateDebugObject + 29 806613FF 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwCreateDebugObject + 61 80661437 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!ZwCreateDebugObject + 1EA 806615C0 3 Bytes [05, 56, 80]
PAGE ntoskrnl.exe!ZwCreateDebugObject + 1FC 806615D2 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwWaitForDebugEvent + 7 80661D17 3 Bytes [F6, 52, 80] {NOT BYTE [EDX-0x80]}
PAGE ntoskrnl.exe!ZwWaitForDebugEvent + 51 80661D61 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwWaitForDebugEvent + 85 80661D95 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwWaitForDebugEvent + A8 80661DB8 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!ZwWaitForDebugEvent + 111 80661E21 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwSetInformationDebugObject + 4 80661FCB 3 Bytes [F6, 52, 80] {NOT BYTE [EDX-0x80]}
PAGE ntoskrnl.exe!ZwSetInformationDebugObject + 42 80662009 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwSetInformationDebugObject + 56 8066201D 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwSetInformationDebugObject + BD 80662084 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!ZwSetInformationDebugObject + D8 8066209F 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwDebugActiveProcess + 21 80662572 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwDebugActiveProcess + 4C 8066259D 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwDebugActiveProcess + 5D 806625AE 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!ZwRemoveProcessDebug + 22 80662648 3 Bytes [97, 56, 80]
PAGE ntoskrnl.exe!ZwRemoveProcessDebug + 43 80662669 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!ZwDebugContinue + 4 806626AF 3 Bytes [F6, 52, 80] {NOT BYTE [EDX-0x80]}
PAGE ntoskrnl.exe!ZwDebugContinue + 29 806626D4 3 Bytes [7E, 56, 80]
PAGE ntoskrnl.exe!ZwDebugContinue + 7C 80662727 3 Bytes [F5, 55, 80]
PAGE ntoskrnl.exe!ZwDebugContinue + A1 8066274C 3 Bytes [81, 4D, 80]
PAGE ntoskrnl.exe!ZwDebugContinue + F5 806627A0 3 Bytes [81, 4D, 80]
PAGE ...
PAGE ntoskrnl.exe!ZwSetDebugFilterState + 16 8066401C 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwSetDebugFilterState + 1C 80664022 3 Bytes [AC, 69, 80]
PAGE ntoskrnl.exe!ZwSetDebugFilterState + 2E 80664034 3 Bytes [36, 55, 80]
PAGE ntoskrnl.exe!ZwSetDebugFilterState + 33 80664039 3 Bytes [35, 55, 80]
PAGE ntoskrnl.exe!ZwSetDebugFilterState + 3C 80664042 3 Bytes [35, 55, 80]
PAGE ...
PAGELK ntoskrnl.exe!RtlGetCompressionWorkSpaceSize + 35 8066517B 3 Bytes [51, 66, 80]
PAGELK ntoskrnl.exe!RtlGetCompressionWorkSpaceSize + 4F 80665195 3 Bytes [51, 66, 80]
PAGELK ntoskrnl.exe!RtlGetCompressionWorkSpaceSize + 53 80665199 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGELK ntoskrnl.exe!RtlGetCompressionWorkSpaceSize + 57 8066519D 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGELK ntoskrnl.exe!RtlGetCompressionWorkSpaceSize + 5B 806651A1 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGELK ...
PAGELK ntoskrnl.exe!IoUnregisterShutdownNotification + C 80665353 3 Bytes [08, 56, 80] {OR [ESI-0x80], DL}
PAGELK ntoskrnl.exe!IoUnregisterShutdownNotification + 1A 80665361 3 Bytes [81, 4D, 80]
PAGELK ntoskrnl.exe!IoUnregisterShutdownNotification + 20 80665367 3 Bytes [0E, 56, 80]
PAGELK ntoskrnl.exe!IoUnregisterShutdownNotification + 2B 80665372 3 Bytes [0E, 56, 80]
PAGELK ntoskrnl.exe!IoUnregisterShutdownNotification + 61 806653A8 3 Bytes [7E, 56, 80]
PAGELK ...
PAGELK ntoskrnl.exe!MmAllocatePagesForMdl + 36 806658A3 3 Bytes [7E, 56, 80]
PAGELK ntoskrnl.exe!MmAllocatePagesForMdl + 71 806658DE 3 Bytes [7E, 56, 80]
PAGELK ntoskrnl.exe!MmAllocatePagesForMdl + 77 806658E4 3 Bytes [A2, 55, 80]
PAGELK ntoskrnl.exe!MmAllocatePagesForMdl + C9 80665936 3 Bytes [7E, 56, 80]
PAGELK ntoskrnl.exe!MmAllocatePagesForMdl + F1 8066595E 3 Bytes [08, 56, 80] {OR [ESI-0x80], DL}
PAGELK ...
PAGELK ntoskrnl.exe!KeI386SetGdtSelector + 1A 806664F4 3 Bytes [BA, 55, 80]
PAGELK ntoskrnl.exe!KeI386SetGdtSelector + 4F 80666529 3 Bytes [82, 4D, 80]
PAGELK ntoskrnl.exe!KeI386SetGdtSelector + 5A 80666534 3 Bytes [23, 56, 80] {AND EDX, [ESI-0x80]}
PAGELK ntoskrnl.exe!KeI386SetGdtSelector + 93 8066656D 3 Bytes [18, 56, 80] {SBB [ESI-0x80], DL}
PAGELK ntoskrnl.exe!KeI386SetGdtSelector + 99 80666573 3 Bytes [18, 56, 80] {SBB [ESI-0x80], DL}
PAGELK ...
PAGELK ntoskrnl.exe!MmMarkPhysicalMemoryAsGood + 2D 80669B9A 3 Bytes [78, 56, 80]
PAGELK ntoskrnl.exe!MmMarkPhysicalMemoryAsGood + 35 80669BA2 3 Bytes [81, 4D, 80]
PAGELK ntoskrnl.exe!MmMarkPhysicalMemoryAsGood + 3A 80669BA7 3 Bytes [7E, 56, 80]
PAGELK ntoskrnl.exe!MmMarkPhysicalMemoryAsGood + 55 80669BC2 3 Bytes [08, 56, 80] {OR [ESI-0x80], DL}
PAGELK ntoskrnl.exe!MmMarkPhysicalMemoryAsGood + 67 80669BD4 3 Bytes [81, 4D, 80]
PAGELK ...
PAGELK ntoskrnl.exe!MmGetPhysicalMemoryRanges + B 80669D02 3 Bytes [78, 56, 80]
PAGELK ntoskrnl.exe!MmGetPhysicalMemoryRanges + 11 80669D08 3 Bytes [81, 4D, 80]
PAGELK ntoskrnl.exe!MmGetPhysicalMemoryRanges + 16 80669D0D 3 Bytes [34, 56, 80]
PAGELK ntoskrnl.exe!MmGetPhysicalMemoryRanges + 39 80669D30 3 Bytes [08, 56, 80] {OR [ESI-0x80], DL}
PAGELK ntoskrnl.exe!MmGetPhysicalMemoryRanges + 47 80669D3E 3 Bytes [81, 4D, 80]
PAGELK ...
PAGELK ntoskrnl.exe!MmAdjustWorkingSetSize + 3A 8066AC75 3 Bytes [7D, 55, 80]
PAGELK ntoskrnl.exe!MmAdjustWorkingSetSize + 9E 8066ACD9 3 Bytes [30, 56, 80] {XOR [ESI-0x80], DL}
PAGELK ntoskrnl.exe!MmAdjustWorkingSetSize + A9 8066ACE4 3 Bytes [81, 4D, 80]
PAGELK ntoskrnl.exe!MmAdjustWorkingSetSize + B7 8066ACF2 3 Bytes [81, 4D, 80]
PAGELK ntoskrnl.exe!MmAdjustWorkingSetSize + DA 8066AD15 3 Bytes [F5, 4F, 80]
PAGELK ...
PAGELK ntoskrnl.exe!MmFreePagesFromMdl + D 8066B10C 3 Bytes [08, 56, 80] {OR [ESI-0x80], DL}
PAGELK ntoskrnl.exe!MmFreePagesFromMdl + 3C 8066B13B 3 Bytes [81, 4D, 80]
PAGELK ntoskrnl.exe!MmFreePagesFromMdl + 50 8066B14F 3 Bytes [7E, 56, 80]
PAGELK ntoskrnl.exe!MmFreePagesFromMdl + 91 8066B190 3 Bytes [7D, 56, 80]
PAGELK ntoskrnl.exe!MmFreePagesFromMdl + 97 8066B196 3 Bytes [76, 56, 80]
PAGELK ...
PAGELK ntoskrnl.exe!MmMapUserAddressesToPage + A 8066B230 3 Bytes [7E, 56, 80]
PAGELK ntoskrnl.exe!MmMapUserAddressesToPage + 54 8066B27A 3 Bytes [81, 4D, 80]
PAGELK ntoskrnl.exe!MmMapUserAddressesToPage + D3 8066B2F9 3 Bytes [08, 56, 80] {OR [ESI-0x80], DL}
PAGELK ntoskrnl.exe!MmMapUserAddressesToPage + 134 8066B35A 3 Bytes [81, 4D, 80]
PAGELK ntoskrnl.exe!MmMapUserAddressesToPage + 16E 8066B394 3 Bytes [81, 4D, 80]
PAGELK ...
PAGELK ntoskrnl.exe!PoSetHiberRange + 11D 8066E0B7 3 Bytes [81, 4D, 80]
PAGELK ntoskrnl.exe!PoSetHiberRange + 185 8066E11F 3 Bytes [81, 4D, 80]
PAGELK ntoskrnl.exe!PoSetHiberRange + 22E 8066E1C8 3 Bytes [BA, 55, 80]
PAGELK ntoskrnl.exe!PoSetHiberRange + 238 8066E1D2 3 Bytes [78, 55, 80]
PAGELK ntoskrnl.exe!PoSetHiberRange + 632 8066E5CC 3 Bytes [DF, 66, 80] {FBLD TBYTE [ESI-0x80]}
PAGELK ...
PAGELK ntoskrnl.exe!ZwSetSystemPowerState + 7 8066F0EE 3 Bytes [E3, 52, 80]
PAGELK ntoskrnl.exe!ZwSetSystemPowerState + 11 8066F0F8 3 Bytes [A3, 55, 80]
PAGELK ntoskrnl.exe!ZwSetSystemPowerState + 3B 8066F122 3 Bytes [AC, 69, 80]
PAGELK ntoskrnl.exe!ZwSetSystemPowerState + 41 8066F128 3 Bytes [AC, 69, 80]
PAGELK ntoskrnl.exe!ZwSetSystemPowerState + BC 8066F1A3 3 Bytes [8D, 56, 80] {LEA EDX, [ESI-0x80]}
PAGELK ...
PAGELK ntoskrnl.exe!RtlCompressBuffer + 47 8067125E 3 Bytes [12, 67, 80] {ADC AH, [EDI-0x80]}
PAGELK ntoskrnl.exe!RtlCompressBuffer + 5E 80671275 3 Bytes [26, 67, 80]
PAGELK ntoskrnl.exe!RtlCompressBuffer + 62 80671279 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGELK ntoskrnl.exe!RtlCompressBuffer + 66 8067127D 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGELK ntoskrnl.exe!RtlCompressBuffer + 6A 80671281 3 Bytes [D2, 63, 80] {SHL BYTE [EBX-0x80], CL}
PAGELK ...
? spsh.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F71C78AC 5 Bytes JMP 84E501D8
.text aqwx560y.SYS F7127384 1 Byte [20]
.text aqwx560y.SYS F7127384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text aqwx560y.SYS F71273AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text aqwx560y.SYS F71273C4 3 Bytes [00, 00, 00]
.text aqwx560y.SYS F71273C9 1 Byte [00]
.text ...
.text win32k.sys!EngMulDiv + 926 BF81FE00 14 Bytes [55, 8B, EC, 56, 8B, 75, 08, ...]
.text win32k.sys!EngMulDiv + 936 BF81FE10 28 Bytes [00, F8, 23, C8, 75, 4E, 8B, ...]
.text win32k.sys!EngMulDiv + 953 BF81FE2D 11 Bytes CALL BF81FD5C \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngMulDiv + 95F BF81FE39 64 Bytes CALL BF8044B4 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngMulDiv + 9A1 BF81FE7B 4 Bytes [8B, F0, E9, D2]
.text ...
.text win32k.sys!EngSetLastError + D BF821049 4 Bytes [15, C0, DE, 98]
.text win32k.sys!EngSetLastError + 12 BF82104E 112 Bytes [85, C0, 74, 06, 8B, 4D, 08, ...]
.text win32k.sys!EngSetLastError + 83 BF8210BF 23 Bytes [4E, 28, 89, 4D, F4, 8D, 4D, ...]
.text win32k.sys!EngSetLastError + 9B BF8210D7 4 Bytes CALL BF80119E \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngSetLastError + A0 BF8210DC 14 Bytes [EB, C2, 89, 3D, 98, D0, 9A, ...] {JMP 0xffffffffffffffc4; MOV [0xbf9ad098], EDI; JMP 0xffffffffffffffd8; XOR ESI, ESI; JMP 0x3c}
.text ...
.text win32k.sys!CLIPOBJ_bEnum + 6 BF828CC8 310 Bytes [75, 10, 8B, 4D, 08, FF, 75, ...]
.text win32k.sys!CLIPOBJ_bEnum + 13D BF828DFF 179 Bytes [8B, 49, 74, 3B, 4D, 14, 77, ...]
.text win32k.sys!CLIPOBJ_bEnum + 1F1 BF828EB3 31 Bytes [47, 08, 0F, 8D, 7A, FF, FF, ...]
.text win32k.sys!CLIPOBJ_bEnum + 211 BF828ED3 10 Bytes [EC, 89, 47, 0C, 8B, 41, 54, ...] {IN AL, DX ; MOV [EDI+0xc], EAX; MOV EAX, [ECX+0x54]; ADD [ECX+0x50], EAX}
.text win32k.sys!CLIPOBJ_bEnum + 21C BF828EDE 10 Bytes [45, 0C, 83, C7, 10, 83, EB, ...]
.text ...
.text win32k.sys!EngLpkInstalled + 1 BF82A236 23 Bytes [0D, 3C, 79, 9A, BF, 33, C0, ...]
.text win32k.sys!EngLpkInstalled + 19 BF82A24E 9 Bytes [55, 8B, EC, 8B, 81, C4, 00, ...] {PUSH EBP; MOV EBP, ESP; MOV EAX, [ECX+0xc4]}
.text win32k.sys!EngLpkInstalled + 23 BF82A258 27 Bytes [91, B0, 00, 00, 00, 89, 10, ...]
.text win32k.sys!EngLpkInstalled + 3F BF82A274 1 Byte [50]
.text win32k.sys!EngLpkInstalled + 3F BF82A274 19 Bytes [50, 04, 8B, 81, CC, 00, 00, ...]
.text ...
.text win32k.sys!EngBitBlt + B2 BF82BCC4 134 Bytes [FF, 3D, 5A, 5A, 00, 00, 0F, ...]
.text win32k.sys!EngBitBlt + 139 BF82BD4B 3 Bytes [C7, 40, 14]
.text win32k.sys!EngBitBlt + 13D BF82BD4F 54 Bytes [00, 00, 00, FF, 70, 28, FF, ...]
.text win32k.sys!EngBitBlt + 174 BF82BD86 19 Bytes [75, 0A, 83, 78, 18, 08, 0F, ...]
.text win32k.sys!EngBitBlt + 188 BF82BD9A 18 Bytes [EB, 06, 83, 7F, 3C, 03, 74, ...]
.text ...
.text win32k.sys!EngPaint + 2 BF82CBAD 94 Bytes [55, 8B, EC, 8B, 45, 18, 8B, ...]
.text win32k.sys!EngPaint + 61 BF82CC0C 113 Bytes [FD, FF, 8B, 45, 08, 89, 86, ...]
.text win32k.sys!EngPaint + D3 BF82CC7E 3 Bytes CALL BF800B3B \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngPaint + D7 BF82CC82 45 Bytes [8B, 4D, 08, B2, 04, E8, C4, ...]
.text win32k.sys!EngPaint + 105 BF82CCB0 19 Bytes CALL BF80119B \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngUnlockSurface + 2D BF833AFA 3 Bytes CALL BF80470E \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnlockSurface + 31 BF833AFE 177 Bytes [5E, 5D, C2, 04, 00, 90, 90, ...]
.text win32k.sys!EngLockSurface + 51 BF833BB0 9 Bytes [65, 08, 00, 8B, 0E, 8B, 46, ...] {OR GS:[EAX], AL; MOV ECX, [ESI]; MOV EAX, [ESI+0x10]; PUSH EDI}
.text win32k.sys!EngLockSurface + 5B BF833BBA 15 Bytes [7D, 0C, 85, FF, 75, 03, 8B, ...] {JGE 0xe; TEST EDI, EDI; JNZ 0x9; MOV EDI, [EAX+0x2c]; CMP DWORD [EBP+0x18], 0x0; JNZ 0x3c}
.text win32k.sys!EngLockSurface + 6B BF833BCA 20 Bytes [89, C0, 05, 00, 00, 85, C9, ...]
.text win32k.sys!EngLockSurface + 80 BF833BDF 55 Bytes [D1, 85, C0, 74, 12, 50, E8, ...]
.text win32k.sys!EngLockSurface + B8 BF833C17 55 Bytes [00, 00, 68, 87, 04, 00, 00, ...]
.text ...
.text win32k.sys!EngCopyBits + 62 BF836AD4 40 Bytes [55, 08, 8B, D8, 8D, 4D, 0C, ...]
.text win32k.sys!EngCopyBits + 8B BF836AFD 65 Bytes [43, 0C, 57, 57, 53, 8D, 4D, ...]
.text win32k.sys!EngCopyBits + CD BF836B3F 25 Bytes [00, 6A, 04, 59, 8B, 43, 24, ...]
.text win32k.sys!EngCopyBits + E8 BF836B5A 32 Bytes [83, 65, 0C, 00, 8B, 75, 18, ...]
.text win32k.sys!EngCopyBits + 109 BF836B7B 13 Bytes [8B, 45, 14, 33, C9, 3B, C1, ...]
.text ...
.text win32k.sys!EngMapFontFileFD + 1F BF836F56 115 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...]
.text win32k.sys!EngMapFontFileFD + 93 BF836FCA 78 Bytes [CF, 89, 4D, FC, 74, 48, C7, ...]
.text win32k.sys!EngMapFontFileFD + E4 BF83701B 18 Bytes [FF, 35, 30, 78, 9A, BF, E8, ...]
.text win32k.sys!EngMapFontFileFD + F7 BF83702E 5 Bytes [74, 17, 8B, 45, 0C] {JZ 0x19; MOV EAX, [EBP+0xc]}
.text win32k.sys!EngMapFontFileFD + FD BF837034 5 Bytes [C7, 74, 04, 8B, 0B]
.text ...
.text win32k.sys!EngUnmapFontFileFD + F4 BF837246 1 Byte [08]
.text win32k.sys!EngUnmapFontFileFD + F4 BF837246 11 Bytes JMP BF837314 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnmapFontFileFD + 100 BF837252 3 Bytes JMP BF83732E \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnmapFontFileFD + 104 BF837256 40 Bytes [00, 00, B9, 00, 02, 00, 00, ...]
.text win32k.sys!EngUnmapFontFileFD + 12D BF83727F 12 Bytes JMP BF83739C \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngCreateBitmap + A4 BF837FBD 21 Bytes [47, 10, 50, 83, C3, 28, 53, ...]
.text win32k.sys!EngCreateBitmap + BA BF837FD3 27 Bytes [F4, 50, 8D, 45, F4, 50, E8, ...]
.text win32k.sys!EngCreateBitmap + D6 BF837FEF 8 Bytes [8D, 47, 08, 50, FF, 75, 08, ...]
.text win32k.sys!EngCreateBitmap + DF BF837FF8 5 Bytes [EC, 50, E8, FA, FD]
.text win32k.sys!EngCreateBitmap + E6 BF837FFF 29 Bytes [8D, 47, 18, 50, 53, 8D, 45, ...]
.text ...
.text win32k.sys!PATHOBJ_bEnum + 7 BF84BCC0 79 Bytes [75, 08, 8B, 4E, 08, 57, 33, ...]
.text win32k.sys!PATHOBJ_bEnum + 57 BF84BD10 48 Bytes [22, 04, C1, 62, 04, 04, 83, ...]
.text win32k.sys!PATHOBJ_bEnum + 88 BF84BD41 29 Bytes [5D, C2, 04, 00, 90, 90, 90, ...]
.text win32k.sys!PATHOBJ_bEnum + A6 BF84BD5F 8 Bytes [C2, 83, 48, 08, 08, FF, 41, ...] {RET 0x4883; OR [EAX], CL; INC DWORD [ECX+0x4]}
.text win32k.sys!PATHOBJ_bEnum + AF BF84BD68 26 Bytes [49, 08, 33, C0, 40, 09, 41, ...]
.text ...
.text win32k.sys!EngComputeGlyphSet + 1 BF84FC93 2 Bytes [FF, 55]
.text win32k.sys!EngComputeGlyphSet + 4 BF84FC96 121 Bytes [EC, 51, 51, 83, 65, FC, 00, ...]
.text win32k.sys!EngComputeGlyphSet + 7E BF84FD10 64 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text win32k.sys!EngMultiByteToWideChar + 3C BF84FD51 100 Bytes [04, 79, 8A, 1C, 37, 66, 89, ...]
.text win32k.sys!EngMultiByteToWideChar + A2 BF84FDB7 14 Bytes [00, 8B, 45, 14, 89, 45, FC, ...]
.text win32k.sys!EngMultiByteToWideChar + B1 BF84FDC6 114 Bytes [FF, 75, FC, FF, 75, 08, E8, ...]
.text win32k.sys!EngMultiByteToWideChar + 124 BF84FE39 45 Bytes [00, 00, 57, 0F, 84, 52, FF, ...]
.text win32k.sys!EngMultiByteToWideChar + 152 BF84FE67 63 Bytes [85, 28, FF, FF, FF, 85, C0, ...]
.text ...
.text win32k.sys!EngDeviceIoControl + 6 BF85D8B8 27 Bytes [75, 20, FF, 75, 1C, FF, 75, ...]
.text win32k.sys!EngDeviceIoControl + 22 BF85D8D4 42 Bytes [00, C0, 3B, C1, 7E, 11, 3D, ...]
.text win32k.sys!EngDeviceIoControl + 4D BF85D8FF 29 Bytes [C0, 74, 0C, 3D, 23, 00, 00, ...]
.text win32k.sys!EngDeviceIoControl + 6B BF85D91D 37 Bytes [55, 8B, EC, 56, 57, 8B, 7D, ...]
.text win32k.sys!EngDeviceIoControl + 91 BF85D943 93 Bytes [35, 14, BE, 9A, BF, 33, DB, ...]
.text ...
.text win32k.sys!EngWaitForSingleObject + 2 BF85DD11 8 Bytes [55, 8B, EC, 8B, 4D, 08, 8B, ...] {PUSH EBP; MOV EBP, ESP; MOV ECX, [EBP+0x8]; MOV EAX, [ECX]}
.text win32k.sys!EngWaitForSingleObject + C BF85DD1B 10 Bytes [3B, C2, 74, 20, F6, 41, 04, ...] {CMP EAX, EDX; JZ 0x24; TEST BYTE [ECX+0x4], 0x1; JNZ 0x24}
.text win32k.sys!EngWaitForSingleObject + 17 BF85DD26 74 Bytes [75, 0C, 52, 52, 52, 50, FF, ...]
.text win32k.sys!EngUnicodeToMultiByteN + 2A BF85DD72 40 Bytes [2B, 81, A4, 08, 00, 00, 39, ...]
.text win32k.sys!EngUnicodeToMultiByteN + 53 BF85DD9B 38 Bytes [C1, 8B, 4D, 08, 89, 08, 5D, ...]
.text win32k.sys!STROBJ_vEnumStart + 19 BF85DDC3 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP}
.text win32k.sys!STROBJ_vEnumStart + 1D BF85DDC7 19 Bytes [EC, 8B, C1, 8B, 4D, 08, 33, ...] {IN AL, DX ; MOV EAX, ECX; MOV ECX, [EBP+0x8]; XOR EDX, EDX; MOV [EAX], ECX; CMP [ECX+0x40], DX; JNZ 0x29; MOV ECX, [ECX+0x2c]}
.text win32k.sys!STROBJ_vEnumStart + 31 BF85DDDB 43 Bytes [48, 04, 8B, 4D, 0C, 89, 48, ...]
.text win32k.sys!STROBJ_vEnumStart + 5D BF85DE07 14 Bytes [76, 0C, 53, 53, 57, 53, FF, ...] {JBE 0xe; PUSH EBX; PUSH EBX; PUSH EDI; PUSH EBX; PUSH DWORD [ESI+0x8]; PUSH EBX; PUSH EBX; PUSH DWORD [EBP-0x4]}
.text win32k.sys!STROBJ_vEnumStart + 6C BF85DE16 136 Bytes [55, F8, 83, C7, 10, EB, 1B, ...]
.text ...
.text win32k.sys!EngTextOut + B BF85E518 33 Bytes [A1, B4, BB, 99, BF, 89, 45, ...]
.text win32k.sys!EngTextOut + 2E BF85E53B 16 Bytes [8B, 45, 20, 89, 85, B0, FB, ...]
.text win32k.sys!EngTextOut + 40 BF85E54D 28 Bytes [8B, 45, 28, 53, 8B, 5D, 0C, ...]
.text win32k.sys!EngTextOut + 5D BF85E56A 16 Bytes [89, 85, F4, FB, FF, FF, 89, ...]
.text win32k.sys!EngTextOut + 6E BF85E57B 13 Bytes [FF, 8D, 85, 5C, FB, FF, FF, ...]
.text ...
.text win32k.sys!EngCreateClip + D683 BF91EE00 12 Bytes [8B, 46, 08, 57, 68, 20, F1, ...]
.text win32k.sys!EngCreateClip + D690 BF91EE0D 4 Bytes [00, 56, 6A, 07] {ADD [ESI+0x6a], DL; POP ES}
.text win32k.sys!EngCreateClip + D695 BF91EE12 38 Bytes CALL BF861059 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreateClip + D6BC BF91EE39 137 Bytes [8B, F8, 33, DB, 3B, FB, 0F, ...]
.text win32k.sys!EngCreateClip + D746 BF91EEC3 13 Bytes [6A, 01, 53, FF, 75, 10, 89, ...] {PUSH 0x1; PUSH EBX; PUSH DWORD [EBP+0x10]; MOV [EBP-0x10], EDX; PUSH EBX; PUSH DWORD [EBP-0x4]}
.text ...
.text win32k.sys!XFORMOBJ_iGetFloatObjXform + 1C BF934099 15 Bytes CALL BF95D7B3 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!XFORMOBJ_iGetFloatObjXform + 2C BF9340A9 66 Bytes [16, 48, 48, 74, 0D, 83, E8, ...]
.text win32k.sys!FLOATOBJ_SetLong + 7 BF9340ED 35 Bytes CALL BF80F0F5 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FLOATOBJ_GetLong + 2 BF934111 111 Bytes [55, 8B, EC, 6A, 00, 8D, 45, ...]
.text win32k.sys!FLOATOBJ_Add BF934184 89 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
.text win32k.sys!FLOATOBJ_SubLong + 13 BF9341DE 47 Bytes [8D, 45, F8, 50, FF, 75, 08, ...]
.text win32k.sys!FLOATOBJ_MulFloat BF934212 132 Bytes [8B, FF, 55, 8B, EC, 51, 51, ...]
.text win32k.sys!FLOATOBJ_DivFloat + 13 BF934297 36 Bytes [8D, 45, F8, 50, FF, 75, 08, ...]
.text win32k.sys!FLOATOBJ_DivLong + D BF9342BC 25 Bytes CALL BF80F0F8 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FLOATOBJ_Div BF9342DA 29 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
.text win32k.sys!FLOATOBJ_Neg + 2 BF9342F8 20 Bytes [55, 8B, EC, 8B, 4D, 08, E8, ...]
.text win32k.sys!FLOATOBJ_EqualLong + 1 BF93430D 66 Bytes [FF, 55, 8B, EC, 51, 51, 33, ...]
.text win32k.sys!FLOATOBJ_GreaterThanLong BF934350 13 Bytes [8B, FF, 55, 8B, EC, 51, 51, ...] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH ECX; PUSH ECX; CMP DWORD [EBP+0xc], 0x0; JNZ 0x27}
.text win32k.sys!FLOATOBJ_GreaterThanLong + E BF93435E 51 Bytes [4D, 08, 8B, 01, 85, C0, 7C, ...]
.text win32k.sys!FLOATOBJ_GreaterThanLong + 42 BF934392 43 Bytes [00, 90, 90, 90, 90, 90, 8B, ...]
.text win32k.sys!FLOATOBJ_LessThanLong + 26 BF9343BE 14 Bytes [75, 08, 8D, 4D, F8, E8, 08, ...] {JNZ 0xa; LEA ECX, [EBP-0x8]; CALL 0xfffffffffff87412; LEAVE ; RET 0x8}
.text win32k.sys!FLOATOBJ_Equal + 1 BF9343D2 19 Bytes [FF, 55, 8B, EC, FF, 75, 0C, ...] {CALL [EBP-0x75]; IN AL, DX ; PUSH DWORD [EBP+0xc]; MOV ECX, [EBP+0x8]; CALL 0xffffffffffeda8f8; POP EBP; RET 0x8}
.text win32k.sys!FLOATOBJ_Equal + 16 BF9343E7 80 Bytes [90, 90, 90, 8B, FF, 55, 8B, ...]
.text win32k.sys!FLOATOBJ_LessThan + 39 BF93443C 124 Bytes [8B, FF, 55, 8B, EC, 56, 57, ...]
.text win32k.sys!FLOATOBJ_LessThan + B6 BF9344B9 55 Bytes [8B, 46, 04, 75, 15, 85, C0, ...]
.text win32k.sys!FLOATOBJ_LessThan + EE BF9344F1 159 Bytes [55, 8B, EC, 8B, 41, 44, 57, ...]
.text win32k.sys!FLOATOBJ_LessThan + 18E BF934591 43 Bytes JMP BF93463D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FLOATOBJ_LessThan + 1BA BF9345BD 26 Bytes [8D, 8D, 74, FF, FF, FF, E8, ...]
.text ...
.text win32k.sys!EngGetCurrentThreadId + 5 BF934737 5 Bytes [90, 90, 90, 90, 90] {NOP ; NOP ; NOP ; NOP ; NOP }
.text win32k.sys!EngGetCurrentThreadId + B BF93473D 144 Bytes [FF, 55, 8B, EC, 83, 7D, 08, ...]
.text win32k.sys!EngDebugPrint + 41 BF9347CF 31 Bytes [83, C4, 14, 5F, 5E, E8, E3, ...]
.text win32k.sys!EngDebugPrint + 62 BF9347F0 3 Bytes [FF, 75, 0C] {PUSH DWORD [EBP+0xc]}
.text win32k.sys!EngDebugPrint + 66 BF9347F4 74 Bytes [75, 08, FF, 15, E4, DB, 98, ...]
.text win32k.sys!EngAllocSectionMem BF934840 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP}
.text win32k.sys!EngAllocSectionMem + 4 BF934844 51 Bytes [EC, 83, EC, 0C, 8B, 45, 10, ...]
.text win32k.sys!EngAllocSectionMem + 38 BF934878 104 Bytes [15, 9C, DC, 98, BF, 85, C0, ...]
.text win32k.sys!EngFreeSectionMem + 9 BF9348E1 86 Bytes [74, 09, FF, 75, 0C, FF, 15, ...]
.text win32k.sys!EngMapSection + 36 BF934938 10 Bytes [14, 6A, 04, 56, 6A, 01, 8D, ...] {ADC AL, 0x6a; ADD AL, 0x56; PUSH 0x1; LEA EAX, [EBP-0x4]; PUSH EAX}
.text win32k.sys!EngMapSection + 41 BF934943 44 Bytes [45, F4, 50, 56, 56, 57, FF, ...]
.text win32k.sys!EngMapSection + 6E BF934970 18 Bytes [75, 10, FF, 15, B8, DE, 98, ...] {JNZ 0x12; CALL [0xbf98deb8]; TEST EAX, EAX; JL 0xf; XOR ESI, ESI; INC ESI; MOV ECX, [EBP+0x10]}
.text win32k.sys!EngMapSection + 82 BF934984 1 Byte [BC]
.text win32k.sys!EngMapSection + 86 BF934988 78 Bytes [8B, C6, 5F, 5E, C9, C2, 10, ...]
.text win32k.sys!EngInitializeSafeSemaphore + 31 BF9349D7 12 Bytes [C6, 5E, 5D, C2, 04, 00, 90, ...]
.text win32k.sys!EngDeleteSafeSemaphore + 2 BF9349E4 28 Bytes CALL BF8047BA \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDeleteSafeSemaphore + 1F BF934A01 60 Bytes CALL BF8047CC \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDeleteSafeSemaphore + 5C BF934A3E 19 Bytes [65, 9A, BF, 89, 35, EC, 65, ...]
.text win32k.sys!EngDeleteSafeSemaphore + 74 BF934A56 69 Bytes [A1, D0, 02, DF, FF, C1, E8, ...]
.text win32k.sys!EngDeleteSafeSemaphore + BA BF934A9C 96 Bytes JMP BF94B7E4 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!VidMemFree + A BF934F15 29 Bytes [5D, FF, A0, 5C, 02, 00, 00, ...]
.text win32k.sys!EngFreePrivateUserMem BF934F37 51 Bytes [8B, FF, 55, 8B, EC, A1, E0, ...]
.text win32k.sys!EngLockDirectDrawSurface + 8 BF934F6B 73 Bytes [9A, BF, 5D, FF, A0, B4, 02, ...]
.text win32k.sys!EngUnlockDirectDrawSurface + 3C BF934FB5 6 Bytes [00, 90, 90, 90, 90, 90] {ADD [EAX-0x6f6f6f70], DL}
.text win32k.sys!EngUnlockDirectDrawSurface + 43 BF934FBC 52 Bytes [FF, 55, 8B, EC, 56, 8B, F1, ...]
.text win32k.sys!EngUnlockDirectDrawSurface + 7B BF934FF4 33 Bytes [8B, FF, 55, 8B, EC, 56, FF, ...]
.text win32k.sys!EngUnlockDirectDrawSurface + 9D BF935016 27 Bytes CALL BF82D291 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnlockDirectDrawSurface + B9 BF935032 55 Bytes [8B, FF, 55, 8B, EC, 8B, 4D, ...]
.text ...
.text win32k.sys!EngGetType1FontList + D BF935AC5 11 Bytes [39, BE, CC, 02, 00, 00, 89, ...] {CMP [ESI+0x2cc], EDI; MOV [EBP-0x4], EDI; JNZ 0x16}
.text win32k.sys!EngGetType1FontList + 19 BF935AD1 3 Bytes CALL BF935651 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngGetType1FontList + 1D BF935AD5 58 Bytes [89, 86, CC, 02, 00, 00, 39, ...]
.text win32k.sys!EngGetType1FontList + 59 BF935B11 19 Bytes [14, 89, 08, 8B, BE, CC, 02, ...]
.text win32k.sys!EngGetType1FontList + 6D BF935B25 13 Bytes [89, 79, 04, 33, FF, EB, 0D, ...] {MOV [ECX+0x4], EDI; XOR EDI, EDI; JMP 0x14; MOV EAX, [EBP+0x14]; MOV ECX, [EBP+0x1c]}
.text ...
.text win32k.sys!EngQueryLocalTime + 18 BF935C02 13 Bytes [ED, FF, FF, 8D, 45, E8, 50, ...]
.text win32k.sys!EngQueryLocalTime + 26 BF935C10 86 Bytes [E0, 98, BF, 8B, 45, 08, 66, ...]
.text win32k.sys!EngQueryLocalTime + 7D BF935C67 56 Bytes [10, 89, 91, AC, 00, 00, 00, ...]
.text win32k.sys!EngQueryLocalTime + B7 BF935CA1 23 Bytes [8B, 01, F6, 40, 28, 08, 74, ...]
.text win32k.sys!EngQueryLocalTime + D1 BF935CBB 41 Bytes [8B, 01, 8B, 80, DC, 01, 00, ...]
.text ...
.text win32k.sys!EngCheckAbort + BE BF935F35 270 Bytes [74, 2F, FF, 35, 30, A1, 9A, ...]
.text win32k.sys!EngCheckAbort + 1CD BF936044 2 Bytes [7D, 0C] {JGE 0xe}
.text win32k.sys!EngCheckAbort + 1D0 BF936047 29 Bytes [74, 11, FF, 75, 10, 6A, 01, ...]
.text win32k.sys!EngCheckAbort + 1EE BF936065 14 Bytes [FF, FF, 5D, C2, 0C, 00, 90, ...]
.text win32k.sys!EngCheckAbort + 1FD BF936074 88 Bytes CALL BF800BE5 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngDeleteEvent + 10 BF93768B 3 Bytes CALL BF802A54 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDeleteEvent + 14 BF93768F 50 Bytes [33, C0, 40, EB, 02, 33, C0, ...]
.text win32k.sys!EngMapEvent + 23 BF9376C2 87 Bytes [3B, F3, 74, 76, 8B, FE, AB, ...]
.text win32k.sys!EngMapEvent + 7D BF93771C 36 Bytes CALL A877ED20
.text win32k.sys!EngMapEvent + A2 BF937741 25 Bytes [C2, 14, 00, 90, 90, 90, 90, ...]
.text win32k.sys!EngUnmapEvent + 12 BF93775B 52 Bytes [15, BC, DB, 98, BF, 56, E8, ...]
.text win32k.sys!EngSetEvent + 1B BF937792 22 Bytes [90, 90, 8B, FF, 55, 8B, EC, ...]
.text win32k.sys!EngClearEvent + 18 BF9377AC 144 Bytes [90, 8B, FF, 55, 8B, EC, 8B, ...]
.text win32k.sys!EngReadStateEvent + 90 BF93783D 31 Bytes CALL BF8585B4 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngReadStateEvent + B1 BF93785E 2 Bytes [E0, 37] {LOOPNZ 0x39}
.text win32k.sys!EngReadStateEvent + B5 BF937862 3 Bytes [57, FF, D6] {PUSH EDI; CALL ESI}
.text win32k.sys!EngReadStateEvent + B9 BF937866 3 Bytes [75, 08, 57] {JNZ 0xa; PUSH EDI}
.text win32k.sys!EngReadStateEvent + BD BF93786A 58 Bytes [D6, 83, 7D, 10, 00, 74, 08, ...]
.text win32k.sys!EngGetFilePath + 19 BF9378A5 13 Bytes [59, 59, 33, C0, 85, F6, 0F, ...]
.text win32k.sys!EngGetFilePath + 27 BF9378B3 122 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text win32k.sys!EngGetFileChangeTime + 76 BF93792E 104 Bytes [FF, 15, 14, E0, 98, BF, 85, ...]
.text win32k.sys!EngGetFileChangeTime + DF BF937997 41 Bytes CALL BF8987AA \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngGetFileChangeTime + 10A BF9379C2 177 Bytes [89, 45, C8, 68, 78, 38, 99, ...]
.text win32k.sys!EngGetFileChangeTime + 1BC BF937A74 255 Bytes [FF, 75, D0, FF, 15, 2C, DD, ...]
.text win32k.sys!EngDeleteFile + 3E BF937B74 4 Bytes [15, C0, E0, 98]
.text win32k.sys!EngDeleteFile + 43 BF937B79 99 Bytes [85, C0, 74, 02, 33, FF, 8B, ...]
.text win32k.sys!EngDeleteFile + A7 BF937BDD 68 Bytes [8B, 4D, 34, 85, C9, 74, 24, ...]
.text win32k.sys!EngDeleteFile + EC BF937C22 67 Bytes [75, 44, FF, 75, 40, FF, 75, ...]
.text win32k.sys!EngDeleteFile + 130 BF937C66 55 Bytes [55, 8B, EC, 83, EC, 30, 8B, ...]
.text ...
.text win32k.sys!EngControlSprites + 45 BF938D66 18 Bytes [85, C0, 76, 21, FF, 75, 0C, ...]
.text win32k.sys!EngControlSprites + 58 BF938D79 42 Bytes [47, 3B, 7E, 68, 73, 0C, EB, ...]
.text win32k.sys!EngControlSprites + 83 BF938DA4 29 Bytes [55, 8B, EC, 51, 51, 56, 8B, ...]
.text win32k.sys!EngControlSprites + A1 BF938DC2 51 Bytes [3B, C7, 74, 18, 76, 41, FF, ...]
.text win32k.sys!EngControlSprites + D5 BF938DF6 59 Bytes [8D, 88, 94, 00, 00, 00, 51, ...]
.text ...
.text win32k.sys!EngMovePointer + B2 BF93973E 3 Bytes CALL BF827A7D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngMovePointer + B6 BF939742 96 Bytes [EB, 29, 53, 53, 57, E8, 30, ...]
.text win32k.sys!EngMovePointer + 117 BF9397A3 142 Bytes [2E, EB, EC, 2B, 86, 74, 01, ...]
.text win32k.sys!EngSetPointerShape + 25 BF939833 29 Bytes [00, 8B, C8, 75, 07, 33, DB, ...]
.text win32k.sys!EngSetPointerShape + 43 BF939851 1 Byte [45]
.text win32k.sys!EngSetPointerShape + 43 BF939851 84 Bytes [45, 08, 8B, 70, 0C, 89, 75, ...]
.text win32k.sys!EngSetPointerShape + 98 BF9398A6 63 Bytes [39, 19, 75, 02, 89, 01, FF, ...]
.text win32k.sys!EngSetPointerShape + D9 BF9398E7 48 Bytes [77, E5, 33, DB, 39, 9E, BC, ...]
.text ...
.text win32k.sys!EngQueryPalette + 6F BF939F16 76 Bytes [F3, A7, EC, FF, 8B, C6, 5E, ...]
.text win32k.sys!EngQueryPalette + BC BF939F63 1 Byte [C0]
.text win32k.sys!EngQueryPalette + BC BF939F63 52 Bytes [C0, 08, 4A, 89, 70, FC, 75, ...]
.text win32k.sys!EngQueryPalette + F1 BF939F98 40 Bytes [00, 05, 00, 00, 00, 80, 3B, ...]
.text win32k.sys!EngQueryPalette + 11A BF939FC1 116 Bytes [FF, 85, C0, 89, 46, 08, 74, ...]
.text ...
.text win32k.sys!EngCreatePath + 40 BF93A1FD 3 Bytes CALL BF84C305 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreatePath + 44 BF93A201 6 Bytes [8B, C7, 5F, 5E, C9, C3] {MOV EAX, EDI; POP EDI; POP ESI; LEAVE ; RET }
.text win32k.sys!EngDeletePath + 5 BF93A211 19 Bytes [83, 7D, 08, 00, 74, 0E, 8B, ...]
.text win32k.sys!EngDeletePath + 19 BF93A225 47 Bytes [5D, C2, 04, 00, 90, 90, 90, ...]
.text win32k.sys!EngDeletePath + 49 BF93A255 59 Bytes [C1, 83, E0, 10, F6, C1, 01, ...]
.text win32k.sys!EngDeletePath + 85 BF93A291 117 Bytes [50, 6A, 00, 8B, CF, E8, 42, ...]
.text win32k.sys!PATHOBJ_bPolyBezierTo + 1A BF93A307 9 Bytes [90, 90, 90, 90, 8B, FF, 55, ...] {NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP}
.text win32k.sys!PATHOBJ_bPolyBezierTo + 24 BF93A311 37 Bytes [45, 08, 8B, 80, 8C, 00, 00, ...]
.text win32k.sys!WNDOBJ_cEnumStart + 12 BF93A337 126 Bytes CALL BF828D4C \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!WNDOBJ_vSetConsumer + 70 BF93A3B6 40 Bytes [85, C0, 74, 04, C6, 43, 14, ...]
.text win32k.sys!WNDOBJ_vSetConsumer + 99 BF93A3DF 3 Bytes CALL BF8B99F0 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!WNDOBJ_vSetConsumer + 9D BF93A3E3 82 Bytes CALL BF81311A \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!WNDOBJ_vSetConsumer + F0 BF93A436 87 Bytes CALL BF802A51 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreateWnd BF93A490 4 Bytes [8B, FF, 55, 8B]
.text win32k.sys!EngCreateWnd + 5 BF93A495 68 Bytes [83, EC, 3C, 53, 56, 57, 8B, ...]
.text win32k.sys!EngCreateWnd + 4B BF93A4DB 14 Bytes [FF, 35, 2C, D2, 9A, BF, 8D, ...] {PUSH DWORD [0xbf9ad22c]; LEA ECX, [EBP-0x10]; CALL 0xffffffffffeca303}
.text win32k.sys!EngCreateWnd + 5A BF93A4EA 2 Bytes [1D, 28]
.text win32k.sys!EngCreateWnd + 5D BF93A4ED 2 Bytes [9A, BF]
.text ...
.text win32k.sys!EngDeleteWnd + 24 BF93A8DC 10 Bytes CALL BF93A796 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDeleteWnd + 2F BF93A8E7 59 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text win32k.sys!EngDeleteWnd + 6B BF93A923 67 Bytes [7E, 0C, EB, 18, 8D, 4D, F8, ...]
.text win32k.sys!EngDeleteWnd + AF BF93A967 54 Bytes [85, FF, 75, E4, 8B, 76, 04, ...]
.text win32k.sys!EngDeleteWnd + E6 BF93A99E 74 Bytes [0C, 8B, 35, 28, 66, 9A, BF, ...]
.text ...
.text win32k.sys!EngDitherColor + 2E BF93B62A 21 Bytes [74, 41, 8B, B1, 28, 04, 00, ...]
.text win32k.sys!EngDitherColor + 44 BF93B640 69 Bytes CALL BF93AF79 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDitherColor + 8B BF93B687 70 Bytes [00, 6B, C9, 1C, 03, C1, 0F, ...]
.text win32k.sys!EngDitherColor + D2 BF93B6CE 103 Bytes CALL BF80179D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDitherColor + 13A BF93B736 123 Bytes [06, 21, 05, 4C, 66, 9A, BF, ...]
.text ...
.text win32k.sys!EngEnumForms + 67 BF93BEF7 151 Bytes CALL BF93B84B \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngGetPrinter + F BF93BF8F 106 Bytes [75, 04, 6A, 57, EB, 14, 8B, ...]
.text win32k.sys!EngGetPrinter + 7A BF93BFFA 16 Bytes [00, 00, 8B, 45, 0C, 89, 3B, ...] {ADD [EAX], AL; MOV EAX, [EBP+0xc]; MOV [EBX], EDI; MOV EDI, [EBP+0x14]; MOV [EBX+0x8], EDI; ADD EDI, 0x10}
.text win32k.sys!EngGetPrinter + 8B BF93C00B 7 Bytes [43, 04, 74, 10, 6A, 00, 56] {INC EBX; ADD AL, 0x74; ADC [EDX+0x0], CH; PUSH ESI}
.text win32k.sys!EngGetPrinter + 93 BF93C013 27 Bytes CALL BF802ADC \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngGetPrinter + AF BF93C02F 135 Bytes [00, 80, 57, 56, 53, FF, 75, ...]
.text win32k.sys!EngGetForm + 1F BF93C0B7 45 Bytes [39, 75, 0C, 74, 0D, FF, 75, ...]
.text win32k.sys!EngGetForm + 4D BF93C0E5 59 Bytes [0C, 00, 8B, 45, 18, 8B, 4D, ...]
.text win32k.sys!EngGetForm + 89 BF93C121 20 Bytes [8B, F0, 89, 75, 0C, EB, 07, ...]
.text win32k.sys!EngGetForm + 9E BF93C136 1 Byte [0C]
.text win32k.sys!EngGetForm + A1 BF93C139 72 Bytes [80, 57, 56, 53, FF, 75, 08, ...]
.text ...
.text win32k.sys!EngGetPrinterDriver + A BF93C328 7 Bytes [FF, 90, 90, 90, 90, 90, 8B]
.text win32k.sys!EngGetPrinterData + 2 BF93C330 11 Bytes [55, 8B, EC, 51, 53, 33, DB, ...]
.text win32k.sys!EngGetPrinterData + E BF93C33C 393 Bytes [FC, 08, 00, 00, 00, 75, 0F, ...]
.text win32k.sys!EngSetPrinterData + 8B BF93C4C6 54 Bytes [A5, 8B, C8, 83, E1, 03, F3, ...]
.text win32k.sys!EngSetPrinterData + C2 BF93C4FD 20 Bytes CALL BF89D033 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngSetPrinterData + D7 BF93C512 54 Bytes [8B, 45, F8, 5F, 5E, 5B, C9, ...]
.text win32k.sys!EngWritePrinter + 28 BF93C549 87 Bytes [BB, B0, 00, 00, 00, 8B, 75, ...]
.text win32k.sys!EngWritePrinter + 80 BF93C5A1 74 Bytes [01, 00, 72, 63, 33, FF, 3B, ...]
.text win32k.sys!EngWritePrinter + CB BF93C5EC 29 Bytes [8B, F8, 8B, D1, C1, E9, 02, ...]
.text win32k.sys!EngWritePrinter + E9 BF93C60A 39 Bytes [B0, 00, 00, 00, 83, 67, 04, ...]
.text win32k.sys!EngWritePrinter + 111 BF93C632 22 Bytes [C7, 43, 20, 00, 00, 00, 80, ...]
.text ...
.text win32k.sys!EngFileWrite + 5 BF93C779 57 Bytes [57, 8B, 7D, 10, 6A, 00, 6A, ...]
.text win32k.sys!EngFileIoControl + C BF93C7B3 46 Bytes [F8, 51, 50, 50, FF, 75, 1C, ...]
.text win32k.sys!EngGetTickCount + 3 BF93C7E2 61 Bytes [FE, 7F, 8B, 02, F7, 62, 04, ...]
.text win32k.sys!EngGetTickCount + 41 BF93C820 94 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text win32k.sys!EngGetTickCount + A0 BF93C87F 17 Bytes [FC, EB, 14, F6, C4, 03, 75, ...]
.text win32k.sys!EngGetTickCount + B2 BF93C891 37 Bytes [FF, 66, 8B, 47, 02, 66, 89, ...]
.text win32k.sys!EngGetTickCount + D8 BF93C8B7 131 Bytes [68, 68, 42, 99, BF, E8, 27, ...]
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 84FDF2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F74E0C4C] spsh.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F74E0CA0] spsh.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74B0040] spsh.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74B013C] spsh.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74B00BE] spsh.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74B07FC] spsh.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74B06D2] spsh.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 84E502D8
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!RtlInitUnicodeString] 000000A5
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!swprintf] 000000E5
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KeSetEvent] 000000F1
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 00000071
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 000000D8
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 00000031
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!MmFreeMappingAddress] 00000015
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 00000004
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 000000C7
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!MmUnmapIoSpace] 00000023
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 000000C3
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IofCompleteRequest] 00000018
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 00000096
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IofCallDriver] 00000005
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 0000009A
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 00000007
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoConnectInterrupt] 00000012
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoDetachDevice] 00000080
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KeWaitForSingleObject] 000000E2
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KeInitializeEvent] 000000EB
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KeCancelTimer] 00000027
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 000000B2
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!RtlInitAnsiString] 00000075
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 00000009
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoQueueWorkItem] 00000083
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!MmMapIoSpace] 0000002C
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 0000001A
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoReportDetectedDevice] 0000001B
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoReportResourceForDetection] 0000006E
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 0000005A
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!NlsMbCodePageTag] 000000A0
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!PoRequestPowerIrp] 00000052
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 0000003B
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 000000D6
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!sprintf] 000000B3
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 00000029
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!ObfDereferenceObject] 000000E3
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 0000002F
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 00000084
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!ZwClose] 00000053
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] 000000D1
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 00000000
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 000000ED
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 00000020
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoCreateDevice] 000000FC
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 000000B1
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 0000005B
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 0000006A
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!ZwOpenKey] 000000CB
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 000000BE
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoStartTimer] 00000039
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KeInitializeTimer] 0000004A
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoInitializeTimer] 0000004C
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KeInitializeDpc] 00000058
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KeInitializeSpinLock] 000000CF
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoInitializeIrp] 000000D0
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!ZwCreateKey] 000000EF
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 000000AA
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 000000FB
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!ZwSetValueKey] 00000043
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KeInsertQueueDpc] 0000004D
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 00000033
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoStartPacket] 00000085
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 00000045
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 000000F9
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoFreeMdl] 00000002
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!MmUnlockPages] 0000007F
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 00000050
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 0000003C
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 0000009F
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 000000A8
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KeSynchronizeExecution] 00000051
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoStartNextPacket] 000000A3
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KeBugCheckEx] 00000040
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 0000008F
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KeSetTimer] 00000092
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!_allmul] 0000009D
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!MmProbeAndLockPages] 00000038
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!_except_handler3] 000000F5
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!PoSetPowerState] 000000BC
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 000000B6
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 000000DA
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 00000021
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!_aulldiv] 00000010
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!strstr] 000000FF
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!_strupr] 000000F3
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KeQuerySystemTime] 000000D2
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 000000CD
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!KeTickCount] 0000000C
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 00000013
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoDeleteDevice] 000000EC
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 0000005F
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00000097
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoAllocateIrp] 00000044
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoAllocateMdl] 00000017
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 000000C4
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!MmLockPagableDataSection] 000000A7
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 0000007E
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 0000003D
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!ExFreePoolWithTag] 00000064
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoFreeIrp] 0000005D
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!IoFreeWorkItem] 00000019
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!InitSafeBootMode] 00000073
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!RtlCompareMemory] 00000060
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!PoCallDriver] 00000081
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!memmove] 0000004F
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[ntoskrnl.exe!MmHighestUserAddress] 000000DC
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\aqwx560y.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74C0048] spsh.sys

---- Devices - GMER 1.0.15 ----

Device 84FDB1F8
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device 84D431F8
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device \Driver\sptd \Device\3569444778 spsh.sys
Device \Driver\usbohci \Device\USBPDO-0 84E401F8
Device \Driver\usbohci \Device\USBPDO-1 84E401F8
Device \Driver\usbehci \Device\USBPDO-2 84E551F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 84FDD1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 84FDD1F8
Device \Driver\Cdrom \Device\CdRom0 84E211F8
Device \Driver\PCI_PNP3528 \Device\00000059 spsh.sys
Device \Driver\Ftdisk \Device\HarddiskVolume3 84FDD1F8
Device \Driver\Cdrom \Device\CdRom1 84E211F8
Device \Driver\atapi \Device\Ide\IdePort0 [F7354B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 [F7354B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort2 [F7354B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort3 [F7354B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-12 [F7354B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-12 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-7 [F7354B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-7 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\Cdrom \Device\CdRom2 84E211F8
Device \Driver\usbstor \Device\00000080 84D2E1F8
Device \Driver\prohlp02 \Device\ProHlp02 E1830C00
Device \Driver\usbohci \Device\USBFDO-0 84E401F8
Device \Driver\usbstor \Device\0000007a 84D2E1F8
Device \Driver\usbohci \Device\USBFDO-1 84E401F8
Device \Driver\usbstor \Device\0000007b 84D2E1F8
Device \Driver\usbehci \Device\USBFDO-2 84E551F8
Device \Driver\usbstor \Device\0000007c 84D2E1F8
Device \Driver\usbstor \Device\0000007d 84D2E1F8
Device \Driver\Ftdisk \Device\FtControl 84FDD1F8
Device \Driver\usbstor \Device\0000007e 84D2E1F8
Device \Driver\usbstor \Device\0000007f 84D2E1F8
Device \Driver\aqwx560y \Device\Scsi\aqwx560y1Port4Path0Target0Lun0 84E1D1F8
Device \Driver\aqwx560y \Device\Scsi\aqwx560y1Port4Path0Target1Lun0 84E1D1F8
Device \Driver\aqwx560y \Device\Scsi\aqwx560y1 84E1D1F8
Device \FileSystem\Fastfat \Fat 84D431F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 84C6C1F8
Device \FileSystem\Cdfs \Cdfs F4B9DBCE

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x07 0x21 0x8C 0xDD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x74 0xBA 0x61 0xC0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9B 0x1E 0x54 0x40 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xA5 0xA5 0x8B 0x11 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x07 0x21 0x8C 0xDD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x74 0xBA 0x61 0xC0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9B 0x1E 0x54 0x40 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xA5 0xA5 0x8B 0x11 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x07 0x21 0x8C 0xDD ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x74 0xBA 0x61 0xC0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9B 0x1E 0x54 0x40 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xA5 0xA5 0x8B 0x11 ...

---- EOF - GMER 1.0.15 ----

Sorry again for so many posts.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:38 AM

Posted 02 January 2010 - 05:45 AM

Hello Liamsdarlin,

It appears indeed the TDSS infection is gone. However, this is a nasty infection, and even after cleaning, it leaves a backdoor open. Please consider the following.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Please download HostsXpert 4.2
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File". Note - if you get an error message, click first "Make Writeable".
  • Click OK at the confirmation box.
  • Click "Make Read Only".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 Liamsdarlin

Liamsdarlin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 03 January 2010 - 12:38 AM

Ok, here's the combofix log.


ComboFix 10-01-02.01 - Keri 01/02/2010 22:41:08.1.1 - x86
Running from: c:\documents and settings\Keri\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\NetMonInstaller.exe
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\SIntf16.dll
c:\windows\viassary-hp.reg
c:\windows\winhelp.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 )))))))))))))))))))))))))))))))
.

2009-12-12 23:08 . 2009-12-12 23:08 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\cYo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 04:50 . 2007-07-16 05:14 -------- d-----w- c:\program files\Symantec AntiVirus
2010-01-01 06:12 . 2009-07-31 19:55 -------- d-----w- c:\documents and settings\Keri\Application Data\vlc
2010-01-01 04:59 . 2009-04-23 01:45 -------- d-----w- c:\documents and settings\Keri\Application Data\uTorrent
2009-12-16 02:55 . 2009-12-16 02:55 -------- d-----w- c:\program files\Cobian Backup 9
2009-12-16 00:31 . 2009-11-29 05:39 -------- d-----w- c:\program files\Boilsoft Video Splitter
2009-12-14 03:44 . 2008-08-19 01:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 23:09 . 2005-12-26 20:51 61000 -c--a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-08 02:09 . 2009-12-08 02:06 -------- d-----w- c:\program files\iTunes
2009-12-08 02:07 . 2009-12-08 02:07 -------- d-----w- c:\program files\iPod
2009-12-08 02:07 . 2008-09-13 03:12 -------- d-----w- c:\program files\Common Files\Apple
2009-12-08 01:58 . 2009-12-08 01:56 -------- d-----w- c:\program files\QuickTime
2009-12-03 21:14 . 2008-08-19 01:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2008-08-19 01:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 06:08 . 2009-12-03 06:08 -------- d-----w- c:\program files\SanDisk
2009-12-03 06:08 . 2005-08-08 22:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-01 22:53 . 2009-12-01 22:53 -------- d-----w- c:\documents and settings\Keri\Application Data\com.divita.nihongoup.0847A6F69C43294B0233ECB55F0AA0E8236D3CEB.1
2009-12-01 22:51 . 2009-12-01 22:48 -------- d-----w- c:\program files\divita
2009-12-01 22:49 . 2009-12-01 22:49 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-01 04:08 . 2009-12-01 04:08 -------- d-----w- c:\documents and settings\Keri\Application Data\cYo
2009-12-01 04:04 . 2009-12-01 04:00 -------- d-----w- c:\program files\ComicRack
2009-11-30 17:32 . 2009-02-03 17:46 -------- d-----w- c:\program files\DoylesRoom
2009-11-28 22:46 . 2007-08-09 02:27 -------- d-----w- c:\program files\Absolute Poker Basic
2009-11-28 16:29 . 2009-11-24 17:44 -------- d-----w- c:\program files\Silver Oak Casino
2009-11-24 19:48 . 2006-12-30 06:10 -------- d-----w- c:\documents and settings\Keri\Application Data\yoclient
2009-11-24 19:48 . 2005-12-09 19:30 -------- d-----w- c:\documents and settings\Keri\Application Data\WeatherBug
2009-11-24 06:37 . 2009-02-17 23:37 -------- d-----w- c:\documents and settings\Keri\Application Data\Auslogics
2009-11-23 15:01 . 2009-11-23 15:01 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-23 14:58 . 2009-11-23 14:58 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-23 01:39 . 2009-11-23 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2009-11-23 01:38 . 2009-11-23 01:36 -------- d-----w- c:\program files\AIM7
2009-11-23 01:33 . 2009-11-23 01:32 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-11-23 01:32 . 2006-02-27 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-11-15 18:29 . 2009-05-03 17:24 -------- d-----w- c:\program files\PokerStars.NET
2009-11-15 18:29 . 2009-05-31 00:07 -------- d-----w- c:\program files\Full Tilt Poker.Net
2009-10-29 07:45 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-23 21:35 . 2006-08-23 04:49 61000 -c--a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
2007-01-22 14:35 . 2007-01-22 14:36 774144 -c--a-w- c:\program files\RngInterstitial.dll
2006-02-13 02:01 . 2006-02-13 02:01 423 -c--a-w- c:\program files\.lot
2006-02-13 02:00 . 2006-02-13 01:59 280000 -c--a-w- c:\program files\allbox4.rpt
2006-02-13 01:59 . 2006-02-13 01:59 180 -c--a-w- c:\program files\lotto.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-09 02:08 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\documents and settings\Keri\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-10-24 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-12-22 85744]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
???
? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
???
? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2009-12-28 15:03 788880 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 15:09 63712 -c--a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2009-10-01 20:20 3634024 ----a-w- c:\program files\AIM7\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2005-12-21 16:33 48800 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 13:11 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2005-02-26 05:34 245760 -c--a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-28 06:50 221184 -c--a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2005-10-04 21:12 2260992 ----a-w- c:\windows\kdx\khost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]
2002-10-14 20:09 57344 ----a-w- c:\program files\Lexmark X74-X75\lxbbbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-12-03 21:14 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\slide.exe]
2007-04-26 17:30 32128 -c--a-w- c:\program files\Slide\Slide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 06:11 132496 -c--a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-05-06 07:20 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2009-05-19 23:26 3561720 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\kdx\\khost.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\EA GAMES\\American McGee's Alice\\alice.exe"=
"c:\\Program Files\\America's Army Deploy Client\\AADeployClient.exe"=
"c:\\Program Files\\America's Army\\System\\ArmyOps.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Documents and Settings\\Keri\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-05-06 2785582]
R3 PCD5SRVC;PCD5SRVC - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [x]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-10-24 13952]
R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-10-24 28800]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-12-22 169200]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-09-23 64288]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-06-14 717296]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-12-28 1181328]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;c:\windows\system32\libusbd-nt.exe [2005-03-10 18944]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-27 102448]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2005-03-10 33792]

.
Contents of the 'Scheduled Tasks' folder

2010-01-03 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 15:04]

2010-01-03 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 15:04]

2010-01-03 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 15:04]

2010-01-03 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 15:04]

2010-01-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 15:04]

2009-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-03 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-08-08 21:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
IE: &Search
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: { - c:\program files\platinumplay\casinogame.exe
IE: {{5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5}
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} - hxxp://www.riverbelle.com/download_helper/Nyoko.cab
DPF: {46C66BBD-E667-4DAD-9682-58050E7C9FDC} - hxxp://www.cdpass.com/cdkey/CDPass.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
FF - ProfilePath - c:\documents and settings\Keri\Application Data\Mozilla\Firefox\Profiles\lgsnsytu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - plugin: c:\documents and settings\Keri\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCE08D86A-A41A-410A-943C-13BABB7DC474", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9EDC9ED-603A-4F3F-BBEA-59C8853A3236", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID90D10942-D952-4863-9DD6-A2BDBBAD456E", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0ECEE744-7B69-4912-AB91-AE76D61ECB04", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF25635B2-1AB9-47B5-88D1-8877B22C86DE", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID27B7F812-4159-45B9-A389-B7A118A58DE4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF849DF29-393B-4F8B-99D1-117A70D66FC7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBF1E9C3D-637C-4171-BD12-28A7360B879A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDDE1C0601-7947-4D7F-A6E5-E68BF6BA1E37", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EA0DCCE-4D98-4876-9C6A-E5C563D0820A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID446462BA-2AAD-4C88-BC63-5210E2F31465", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0862E368-A40E-4E55-83EB-FBC5571BABA4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDD2A96E3C-FFB3-4D38-9AC3-B127527BEA35", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4B05B39A-9DDC-4650-A7F8-D5B134E5FFE5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC8E2574A-7BCE-4B93-A22E-61831DFD6DB8", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID659796C0-8B5D-48D7-A4EB-7E6874E26274", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID78071AB5-E729-414E-8D02-9C1D034F82E7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCC3F71E1-17F3-4C5B-997D-44CA56943197", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE67D5C78-B2D4-4BA0-8D69-1C7AF4BB08B5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFC5F3D7A-D321-412C-8A5D-9AD0C8041941", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6EC5CD16-81BC-4515-9EDD-9265C906F56E", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID67CFB2C5-E491-4395-977B-CD45E4124655", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID73600569-52E6-4760-8BAB-B68202937D98", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB02EBD42-6885-401A-9389-E089F7DDC872", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBAE5CB8C-4075-4743-B2E4-78DA8D8CDC64", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID28B07B04-DA99-4FD3-BF27-4972F2B8142B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D53448F-D12B-4102-8CE2-697DAE8D6643", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE3266A47-A141-47B8-AAA8-5F16FB4F8CCD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB33AB7AF-76D7-4B1C-B709-5D6BF9E7B1C7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID153B7451-0BB5-4B37-95C0-44D89E2F1F2B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID3BBE8E21-0D3D-4BAA-AC6F-C7BCEF750849", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9B5B4F2D-A7D9-4329-B0FE-92B301A8CAAD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA5C42921-8CD0-4924-97C3-01B5B0610BC6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID06969252-F90F-4CF2-9074-33772EB64859", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFBF37655-1236-4C0D-96C5-F94E1724841B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC1A3F035-B68F-4B2B-9FD5-E36DAAAF26DD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID368F3685-543E-4812-9FDE-96E097E453FC", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID43969873-56AA-4113-84CB-4AB2AEB9AA31", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA205DD80-63D4-4E41-B785-26EC3D90B97B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID068D43E7-7551-4A2F-AE96-4A38A9AD1953", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF443E9CB-9EEC-456E-8AE7-F3102D5CD47D", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE36A7B16-645D-4261-BFF8-3A7E69C5F7A5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID379805E3-E0E2-40DC-B51B-6DC1AE5802AA", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF6240D69-A06D-44A1-8003-8496CCEF2C53", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID26C3113D-5A71-4F1B-A2CB-BE59E1279DDA", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID92B97F2B-7565-4CE9-9AC7-0598DFD731F8", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID2AA5E7CF-9696-42F0-B76A-8655296EADF2", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0AAACE0B-ACEF-4781-83F4-BFB52EEC995A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D56FF58-A39D-4E8C-A40B-2E3711251772", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID946121C2-11F1-49DD-A7E3-CF793DE827A4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB853303D-1BAB-43F3-9D7D-101D0DA8E7A5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9E578247-FE29-4F8C-8202-A24A5688CF2A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6D065A8F-FFC0-4A0F-B863-1D724B8C786B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4451D291-6940-42CE-9D3C-CA1D4C96549C", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID064B722D-079D-4EBB-B3CF-9FCBF64FFF5D", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID38F8AB0F-5DFB-43D9-889E-8717CC4AB59B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EC68CD1-0EF1-4CB9-9EF1-3D64AB266149", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID44F96B27-CFAD-41E1-83A1-6B28040C3BDE", "AllAccess");
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BitTorrent DNA - c:\program files\DNA\btdna.exe
MSConfigStartUp-Blubster - c:\progra~1\Blubster\Blubster.exe
MSConfigStartUp-DW4 - c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
AddRemove-Redline Racer - c:\program files\Criterion Studios\Redline Racer\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-02 23:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Keri\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?ss%253dcommon_content%2526%26download%3d%2526content-url%253dhttp%25253a%25252f%25252fmp

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys atapi.sys spdt.sys >>UNKNOWN [0x84BC9938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7519f28
\Driver\ACPI -> ACPI.sys @ 0xf7274cb8
\Driver\atapi -> prosync1.sys @ 0xf79bf661
\Driver\iaStor -> 0x84b871f8
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf7051bd4
PacketIndicateHandler -> NDIS.sys @ 0xf705da21
SendHandler -> NDIS.sys @ 0xf7051d44
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2352)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\nexon\Mabinogi\npkcmsvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\ssmypics.scr
.
**************************************************************************
.
Completion time: 2010-01-03 00:23:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-03 05:21

Pre-Run: 27,632,189,440 bytes free
Post-Run: 27,820,879,872 bytes free

- - End Of File - - 4F17672E49F5BE2B0FA87FACD127B2CE

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:38 AM

Posted 03 January 2010 - 10:39 AM

Hello Liamsdarlin,

P2P WARNING
-------------------
Going over your logs I noticed that you have utorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall utorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


POKER WARNING
--------------------
Your logs show that you have been visiting online poker sites with applets installed on your computer. I know that you may use these programs on a regular basis but I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. Due to this I strongly suggest that you uninstall these programmes if you do not use them anymore or did not install these programs yourself on purpose.
There are so many online poker games out there these days that it is close to impossible to keep track of whether a program is infected or not. Should you have installed this online poker game on purpose and wish to continue using this, you may ignore this. Should you decide to uninstall the program, then you can do so by following the below steps:
  • Go to Start > Control Panel > Add or Remove Programs.
  • Remove the following poker programs (if they are present):
    Full Tilt Poker
If you are unsure of how to use Add or Remove Programs, the please see this tutorial


UPDATE JAVA
------------------
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u15-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please include the following:
  • MBAM log
  • Please let me know how everything is running now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 Liamsdarlin

Liamsdarlin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 04 January 2010 - 04:06 AM

Hey. I uninstalled a few things and updated Java. Then ran MBAM. It took quite a while to run MBAM, about twice as long as normal. Also while it was scanning, auto-protect was still coming up. But this time it had quite a few new files. Usually it just comes up with one file, A0051955.sys. But it had more this time while MBAM was running. Here's the list of them:

A0051955.sys
A0051961.sys
A0052889.sys
A0052905.sys
A0052910.sys
A0052923.sys
A0053923.sys
A0053936.sys
A0053942.sys
A0053954.sys
A0053958.sys
A0053964.sys
A0054005.sys

The first five of those files have come up in a full scan with Symantec, but never in auto-protect until tonight. After I ran MBAM and rebooted, I let the PC sit for a bit and see if auto-protect still came up and it did. But only with the one file, A0051955.sys. Other than that, the PC is starting up a little quicker, though still a bit slow in general.

Here's the MBAM log.

Malwarebytes' Anti-Malware 1.43
Database version: 3488
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/4/2010 2:41:05 AM
mbam-log-2010-01-04 (02-41-05).txt

Scan type: Full Scan (C:\|D:\|L:\|)
Objects scanned: 321303
Time elapsed: 10 hour(s), 57 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Compaq_Owner\My Documents\Silver Oak Casino.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP508\A0061838.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP508\A0061837.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP508\A0061840.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP508\A0061843.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP508\A0061844.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP508\A0061859.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP508\A0061860.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP508\A0061864.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP508\A0061870.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP508\A0061873.dll (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP508\A0061881.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP434\A0046442.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP442\A0046642.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
L:\Dad's backup\Silver Oak Casino.exe (Adware.Casino) -> Quarantined and deleted successfully.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:38 AM

Posted 04 January 2010 - 07:02 AM

Hello Liamsdarlin,

No need to worry about those detections. This are System Restore items, and we will reset that once you are cleaned up :(

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  • Push the Posted Image button.
  • Push Posted Image
In your next reply, please include the following:
  • ESET online scan results
  • A new DDS log
  • A description of any remaining problems.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 Liamsdarlin

Liamsdarlin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 04 January 2010 - 04:28 PM

Hi elise025. Thank you for letting me know not to worry too much about those files. They've been driving me crazy lol. So, I ran those scans and things seem to be a bit faster. Some things are still a little slow, but that might just be cause my PC is getting old and I'm sure I need to do a good cleaning of junk files and stuff like that. Anyway, here are the reports you asked for.

ESET scan

C:\Documents and Settings\Compaq_Owner\Application Data\Auslogics\Rescue\One Button Checkup\091111151511265.rsc a variant of Win32/Olmarik.PS trojan deleted - quarantined



And DDS


DDS (Ver_09-12-01.01) - NTFSx86
Run by Keri at 15:39:13.23 on Mon 01/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Keri\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM7\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Keri\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter

============== Pseudo HJT Report ===============

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [SansaDispatch] c:\documents and settings\keri\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: &Search
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: { - c:\program files\platinumplay\casinogame.exe
IE: {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5}
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=48835
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} - hxxp://www.riverbelle.com/download_helper/Nyoko.cab
DPF: {46C66BBD-E667-4DAD-9682-58050E7C9FDC} - hxxp://www.cdpass.com/cdkey/CDPass.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134271249015
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} - hxxp://cdn.digitalcity.com/video/kdx.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://riverbelle.microgaming.com/freeplay/FlashAX.cab
DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\keri\applic~1\mozilla\firefox\profiles\lgsnsytu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - plugin: c:\documents and settings\keri\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCE08D86A-A41A-410A-943C-13BABB7DC474", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9EDC9ED-603A-4F3F-BBEA-59C8853A3236", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID90D10942-D952-4863-9DD6-A2BDBBAD456E", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0ECEE744-7B69-4912-AB91-AE76D61ECB04", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF25635B2-1AB9-47B5-88D1-8877B22C86DE", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID27B7F812-4159-45B9-A389-B7A118A58DE4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF849DF29-393B-4F8B-99D1-117A70D66FC7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBF1E9C3D-637C-4171-BD12-28A7360B879A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDDE1C0601-7947-4D7F-A6E5-E68BF6BA1E37", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EA0DCCE-4D98-4876-9C6A-E5C563D0820A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID446462BA-2AAD-4C88-BC63-5210E2F31465", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0862E368-A40E-4E55-83EB-FBC5571BABA4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDD2A96E3C-FFB3-4D38-9AC3-B127527BEA35", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4B05B39A-9DDC-4650-A7F8-D5B134E5FFE5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC8E2574A-7BCE-4B93-A22E-61831DFD6DB8", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID659796C0-8B5D-48D7-A4EB-7E6874E26274", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID78071AB5-E729-414E-8D02-9C1D034F82E7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCC3F71E1-17F3-4C5B-997D-44CA56943197", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE67D5C78-B2D4-4BA0-8D69-1C7AF4BB08B5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFC5F3D7A-D321-412C-8A5D-9AD0C8041941", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6EC5CD16-81BC-4515-9EDD-9265C906F56E", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID67CFB2C5-E491-4395-977B-CD45E4124655", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID73600569-52E6-4760-8BAB-B68202937D98", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB02EBD42-6885-401A-9389-E089F7DDC872", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBAE5CB8C-4075-4743-B2E4-78DA8D8CDC64", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID28B07B04-DA99-4FD3-BF27-4972F2B8142B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D53448F-D12B-4102-8CE2-697DAE8D6643", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE3266A47-A141-47B8-AAA8-5F16FB4F8CCD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB33AB7AF-76D7-4B1C-B709-5D6BF9E7B1C7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID153B7451-0BB5-4B37-95C0-44D89E2F1F2B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID3BBE8E21-0D3D-4BAA-AC6F-C7BCEF750849", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9B5B4F2D-A7D9-4329-B0FE-92B301A8CAAD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA5C42921-8CD0-4924-97C3-01B5B0610BC6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID06969252-F90F-4CF2-9074-33772EB64859", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFBF37655-1236-4C0D-96C5-F94E1724841B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC1A3F035-B68F-4B2B-9FD5-E36DAAAF26DD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID368F3685-543E-4812-9FDE-96E097E453FC", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID43969873-56AA-4113-84CB-4AB2AEB9AA31", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA205DD80-63D4-4E41-B785-26EC3D90B97B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID068D43E7-7551-4A2F-AE96-4A38A9AD1953", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF443E9CB-9EEC-456E-8AE7-F3102D5CD47D", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE36A7B16-645D-4261-BFF8-3A7E69C5F7A5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID379805E3-E0E2-40DC-B51B-6DC1AE5802AA", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF6240D69-A06D-44A1-8003-8496CCEF2C53", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID26C3113D-5A71-4F1B-A2CB-BE59E1279DDA", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID92B97F2B-7565-4CE9-9AC7-0598DFD731F8", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID2AA5E7CF-9696-42F0-B76A-8655296EADF2", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0AAACE0B-ACEF-4781-83F4-BFB52EEC995A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D56FF58-A39D-4E8C-A40B-2E3711251772", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID946121C2-11F1-49DD-A7E3-CF793DE827A4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB853303D-1BAB-43F3-9D7D-101D0DA8E7A5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9E578247-FE29-4F8C-8202-A24A5688CF2A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6D065A8F-FFC0-4A0F-B863-1D724B8C786B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4451D291-6940-42CE-9D3C-CA1D4C96549C", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID064B722D-079D-4EBB-B3CF-9FCBF64FFF5D", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID38F8AB0F-5DFB-43D9-889E-8717CC4AB59B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EC68CD1-0EF1-4CB9-9EF1-3D64AB266149", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID44F96B27-CFAD-41E1-83A1-6B28040C3BDE", "AllAccess");

============= SERVICES / DRIVERS ===============

R? ccPwdSvc;Symantec Password Validation
R? npggsvc;nProtect GameGuard Service
R? PCD5SRVC;PCD5SRVC - PCDR Kernel Mode Service Helper Driver
R? PPJoyBus;Parallel Port Joystick Bus device driver
R? PPortJoystick;Parallel Port Joystick device driver
R? SavRoam;SavRoam
S? ccEvtMgr;Symantec Event Manager
S? ccSetMgr;Symantec Settings Manager
S? EraserUtilRebootDrv;EraserUtilRebootDrv
S? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service
S? Lbd;Lbd
S? libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1
S? libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1
S? NAVENG;NAVENG
S? NAVEX15;NAVEX15
S? SAVRT;SAVRT
S? SAVRTPEL;SAVRTPEL
S? Symantec AntiVirus;Symantec AntiVirus
S? Viewpoint Manager Service;Viewpoint Manager Service

=============== Created Last 30 ================

2010-01-04 17:56:42 0 d-----w- c:\program files\ESET
2010-01-03 20:10:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-03 20:10:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-03 19:31:01 0 d-----w- c:\docume~1\keri\applic~1\Kontiki
2010-01-03 03:31:41 77312 ----a-w- c:\windows\MBR.exe
2010-01-03 03:31:36 261632 ----a-w- c:\windows\PEV.exe
2010-01-03 03:31:33 161792 ----a-w- c:\windows\SWREG.exe
2010-01-03 03:31:30 98816 ----a-w- c:\windows\sed.exe
2010-01-03 03:04:43 0 d-----w- C:\HostsXpert
2009-12-23 03:38:07 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-12-23 03:38:02 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-12-23 03:38:01 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-12-23 03:37:56 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-12-23 03:37:52 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-12-23 03:37:42 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2009-12-23 03:37:33 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2009-12-23 03:37:30 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2009-12-23 03:37:23 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2009-12-23 03:37:19 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2009-12-23 03:36:52 8832 ----a-w- c:\windows\system32\dllcache\wmiacpi.sys
2009-12-23 03:36:48 154624 ----a-w- c:\windows\system32\dllcache\wlluc48.sys
2009-12-23 03:36:42 34890 ----a-w- c:\windows\system32\dllcache\wlandrv2.sys
2009-12-23 03:36:27 771581 ----a-w- c:\windows\system32\dllcache\winacisa.sys
2009-12-23 03:36:09 53760 ----a-w- c:\windows\system32\dllcache\wiamsmud.dll
2009-12-23 03:35:53 701386 ----a-w- c:\windows\system32\dllcache\wdhaalba.sys
2009-12-23 03:35:52 23615 ----a-w- c:\windows\system32\dllcache\wch7xxnt.sys
2009-12-23 03:35:19 31744 ----a-w- c:\windows\system32\dllcache\wceusbsh.sys
2009-12-23 03:34:32 35871 ----a-w- c:\windows\system32\dllcache\wbfirdma.sys
2009-12-23 03:34:03 33599 ----a-w- c:\windows\system32\dllcache\watv04nt.sys
2009-12-23 03:34:01 19551 ----a-w- c:\windows\system32\dllcache\watv02nt.sys
2009-12-23 03:34:00 29311 ----a-w- c:\windows\system32\dllcache\watv01nt.sys
2009-12-23 03:33:55 11775 ----a-w- c:\windows\system32\dllcache\wadv05nt.sys
2009-12-23 03:33:54 12127 ----a-w- c:\windows\system32\dllcache\wadv02nt.sys
2009-12-23 03:33:39 12415 ----a-w- c:\windows\system32\dllcache\wadv01nt.sys
2009-12-23 03:33:31 16925 ----a-w- c:\windows\system32\dllcache\w940nd.sys
2009-12-23 03:33:27 19016 ----a-w- c:\windows\system32\dllcache\w926nd.sys
2009-12-23 03:33:21 19528 ----a-w- c:\windows\system32\dllcache\w840nd.sys
2009-12-23 03:33:13 64605 ----a-w- c:\windows\system32\dllcache\vvoice.sys
2009-12-23 03:33:07 397502 ----a-w- c:\windows\system32\dllcache\vpctcom.sys
2009-12-23 03:32:57 604253 ----a-w- c:\windows\system32\dllcache\vmodem.sys
2009-12-23 03:32:50 249402 ----a-w- c:\windows\system32\dllcache\vinwm.sys
2009-12-23 03:32:43 24576 ----a-w- c:\windows\system32\dllcache\viairda.sys
2009-12-23 03:32:19 687999 ----a-w- c:\windows\system32\dllcache\usrwdxjs.sys
2009-12-23 03:32:02 765884 ----a-w- c:\windows\system32\dllcache\usrti.sys
2009-12-23 03:31:54 113762 ----a-w- c:\windows\system32\dllcache\usrpda.sys
2009-12-23 03:31:50 7556 ----a-w- c:\windows\system32\dllcache\usroslba.sys
2009-12-23 03:31:40 224802 ----a-w- c:\windows\system32\dllcache\usr1807a.sys
2009-12-23 03:31:35 794399 ----a-w- c:\windows\system32\dllcache\usr1806v.sys
2009-12-23 03:31:31 793598 ----a-w- c:\windows\system32\dllcache\usr1806.sys
2009-12-23 03:31:25 794654 ----a-w- c:\windows\system32\dllcache\usr1801.sys
2009-12-23 03:31:22 26112 ----a-w- c:\windows\system32\dllcache\usbser.sys
2009-12-23 03:31:19 32384 ----a-w- c:\windows\system32\dllcache\usb101et.sys
2009-12-23 03:31:12 94720 ----a-w- c:\windows\system32\dllcache\umaxud32.dll
2009-12-23 03:31:08 28160 ----a-w- c:\windows\system32\dllcache\umaxu40.dll
2009-12-23 03:31:04 26624 ----a-w- c:\windows\system32\dllcache\umaxu22.dll
2009-12-23 03:31:00 69632 ----a-w- c:\windows\system32\dllcache\umaxu12.dll
2009-12-23 03:29:56 315520 ----a-w- c:\windows\system32\dllcache\trid3d.dll
2009-12-23 03:29:51 34375 ----a-w- c:\windows\system32\dllcache\tpro4.sys
2009-12-23 03:29:46 42496 ----a-w- c:\windows\system32\dllcache\tp4res.dll
2009-12-23 03:29:44 82944 ----a-w- c:\windows\system32\dllcache\tp4mon.exe
2009-12-23 03:29:40 31744 ----a-w- c:\windows\system32\dllcache\tp4.dll
2009-12-23 03:29:35 4992 ----a-w- c:\windows\system32\dllcache\toside.sys
2009-12-23 03:29:31 230912 ----a-w- c:\windows\system32\dllcache\tosdvd03.sys
2009-12-23 03:29:27 241664 ----a-w- c:\windows\system32\dllcache\tosdvd02.sys
2009-12-23 03:29:22 28232 ----a-w- c:\windows\system32\dllcache\tos4mo.sys
2009-12-23 03:29:17 123995 ----a-w- c:\windows\system32\dllcache\tjisdn.sys
2009-12-23 03:29:11 138528 ----a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2009-12-23 03:29:05 81408 ----a-w- c:\windows\system32\dllcache\tgiul50.dll
2009-12-23 03:29:03 149376 ----a-w- c:\windows\system32\dllcache\tffsport.sys
2009-12-23 03:27:59 10240 ----a-w- c:\windows\system32\dllcache\swpidflt.dll
2009-12-23 03:27:55 10240 ----a-w- c:\windows\system32\dllcache\swpdflt2.dll
2009-12-23 03:27:51 53760 ----a-w- c:\windows\system32\dllcache\sw_wheel.dll
2009-12-23 03:27:47 41472 ----a-w- c:\windows\system32\dllcache\sw_effct.dll
2009-12-23 03:27:42 155648 ----a-w- c:\windows\system32\dllcache\stlnprop.dll
2009-12-23 03:27:38 53248 ----a-w- c:\windows\system32\dllcache\stlncoin.dll
2009-12-23 03:27:34 285760 ----a-w- c:\windows\system32\dllcache\stlnata.sys
2009-12-23 03:27:29 16896 ----a-w- c:\windows\system32\dllcache\stcusb.sys
2009-12-23 03:27:22 48736 ----a-w- c:\windows\system32\dllcache\srwlnd5.sys
2009-12-23 03:27:17 99328 ----a-w- c:\windows\system32\dllcache\srusd.dll
2009-12-23 03:27:09 24660 ----a-w- c:\windows\system32\dllcache\spxupchk.dll
2009-12-23 03:27:03 61824 ----a-w- c:\windows\system32\dllcache\speed.sys
2009-12-23 03:26:59 106584 ----a-w- c:\windows\system32\dllcache\spdports.dll
2009-12-23 03:26:55 19072 ----a-w- c:\windows\system32\dllcache\sparrow.sys
2009-12-23 03:26:50 7552 ----a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-12-23 03:26:47 37040 ----a-w- c:\windows\system32\dllcache\sonypi.sys
2009-12-23 03:26:43 114688 ----a-w- c:\windows\system32\dllcache\sonypi.dll
2009-12-23 03:26:39 20752 ----a-w- c:\windows\system32\dllcache\sonync.sys
2009-12-23 03:26:34 9600 ----a-w- c:\windows\system32\dllcache\sonymc.sys
2009-12-23 03:26:20 7552 ----a-w- c:\windows\system32\dllcache\sonyait.sys
2009-12-23 03:26:19 143422 ----a-w- c:\windows\system32\dllcache\softkey.dll
2009-12-23 03:26:02 7040 ----a-w- c:\windows\system32\dllcache\snyaitmc.sys
2009-12-23 03:25:47 58368 ----a-w- c:\windows\system32\dllcache\smiminib.sys
2009-12-23 03:25:41 147200 ----a-w- c:\windows\system32\dllcache\smidispb.dll
2009-12-23 03:25:37 25034 ----a-w- c:\windows\system32\dllcache\smcpwr2n.sys
2009-12-23 03:25:31 35913 ----a-w- c:\windows\system32\dllcache\smcirda.sys
2009-12-23 03:25:26 24576 ----a-w- c:\windows\system32\dllcache\smc8000n.sys
2009-12-23 03:25:22 6784 ----a-w- c:\windows\system32\dllcache\smbhc.sys
2009-12-23 03:25:21 6912 ----a-w- c:\windows\system32\dllcache\smbclass.sys
2009-12-23 03:25:15 16000 ----a-w- c:\windows\system32\dllcache\smbbatt.sys
2009-12-23 03:25:10 45568 ----a-w- c:\windows\system32\dllcache\smb3w.dll
2009-12-23 03:25:06 33792 ----a-w- c:\windows\system32\dllcache\smb0w.dll
2009-12-23 03:25:02 28672 ----a-w- c:\windows\system32\dllcache\sma0w.dll
2009-12-23 03:24:47 28160 ----a-w- c:\windows\system32\dllcache\sm91w.dll
2009-12-23 03:24:31 63547 ----a-w- c:\windows\system32\dllcache\sla30nd5.sys
2009-12-23 03:24:27 91294 ----a-w- c:\windows\system32\dllcache\skfpwin.sys
2009-12-23 03:24:22 94698 ----a-w- c:\windows\system32\dllcache\sk98xwin.sys
2009-12-23 03:24:18 157696 ----a-w- c:\windows\system32\dllcache\sisv256.dll
2009-12-23 03:24:15 50432 ----a-w- c:\windows\system32\dllcache\sisv.sys
2009-12-23 03:24:07 32768 ----a-w- c:\windows\system32\dllcache\sisnic.sys
2009-12-23 03:24:03 238592 ----a-w- c:\windows\system32\dllcache\sisgrv.dll
2009-12-23 03:23:59 104064 ----a-w- c:\windows\system32\dllcache\sisgrp.sys
2009-12-23 03:23:55 150144 ----a-w- c:\windows\system32\dllcache\sis6306v.dll
2009-12-23 03:23:51 68608 ----a-w- c:\windows\system32\dllcache\sis6306p.sys
2009-12-23 03:23:47 252032 ----a-w- c:\windows\system32\dllcache\sis300iv.dll
2009-12-23 03:23:28 101760 ----a-w- c:\windows\system32\dllcache\sis300ip.sys
2009-12-23 03:23:03 161568 ----a-w- c:\windows\system32\dllcache\sgsmusb.sys
2009-12-23 03:22:59 18400 ----a-w- c:\windows\system32\dllcache\sgsmld.sys
2009-12-23 03:22:55 98080 ----a-w- c:\windows\system32\dllcache\sgiulnt5.sys
2009-12-23 03:22:51 386560 ----a-w- c:\windows\system32\dllcache\sgiul50.dll
2009-12-23 03:22:47 36480 ----a-w- c:\windows\system32\dllcache\sfmanm.sys
2009-12-23 03:22:36 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2009-12-23 03:22:33 17664 ----a-w- c:\windows\system32\dllcache\sermouse.sys
2009-12-23 03:22:16 6912 ----a-w- c:\windows\system32\dllcache\seaddsmc.sys
2009-12-23 03:21:58 11520 ----a-w- c:\windows\system32\dllcache\scsiscan.sys
2009-12-23 03:21:54 11648 ----a-w- c:\windows\system32\dllcache\scsiprnt.sys
2009-12-23 03:21:48 17280 ----a-w- c:\windows\system32\dllcache\scr111.sys
2009-12-23 03:21:44 16640 ----a-w- c:\windows\system32\dllcache\scmstcs.sys
2009-12-23 03:21:39 23936 ----a-w- c:\windows\system32\dllcache\sccmusbm.sys
2009-12-23 03:21:35 23936 ----a-w- c:\windows\system32\dllcache\sccmn50m.sys
2009-12-23 03:21:28 43904 ----a-w- c:\windows\system32\dllcache\sbp2port.sys
2009-12-23 03:21:24 495616 ----a-w- c:\windows\system32\dllcache\sblfx.dll
2009-12-23 03:21:13 75392 ----a-w- c:\windows\system32\dllcache\s3savmxm.sys
2009-12-23 03:21:10 245632 ----a-w- c:\windows\system32\dllcache\s3savmx.dll
2009-12-23 03:21:06 77824 ----a-w- c:\windows\system32\dllcache\s3sav4m.sys
2009-12-23 03:21:02 198400 ----a-w- c:\windows\system32\dllcache\s3sav4.dll
2009-12-23 03:20:58 61504 ----a-w- c:\windows\system32\dllcache\s3sav3dm.sys
2009-12-23 03:20:55 179264 ----a-w- c:\windows\system32\dllcache\s3sav3d.dll
2009-12-23 03:20:51 210496 ----a-w- c:\windows\system32\dllcache\s3mvirge.dll
2009-12-23 03:20:47 62496 ----a-w- c:\windows\system32\dllcache\s3mtrio.dll
2009-12-23 03:20:43 41216 ----a-w- c:\windows\system32\dllcache\s3mt3d.sys
2009-12-23 03:20:39 182272 ----a-w- c:\windows\system32\dllcache\s3mt3d.dll
2009-12-23 03:20:35 166720 ----a-w- c:\windows\system32\dllcache\s3m.sys
2009-12-23 03:20:28 65664 ----a-w- c:\windows\system32\dllcache\s3legacy.sys
2009-12-23 03:19:50 82432 ----a-w- c:\windows\system32\dllcache\rwia450.dll
2009-12-23 03:19:17 79872 ----a-w- c:\windows\system32\dllcache\rwia430.dll
2009-12-23 03:19:10 29696 ----a-w- c:\windows\system32\dllcache\rw450ext.dll
2009-12-23 03:18:55 27648 ----a-w- c:\windows\system32\dllcache\rw430ext.dll
2009-12-23 03:18:36 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys
2009-12-23 03:18:32 30720 ----a-w- c:\windows\system32\dllcache\rthwcls.sys
2009-12-23 03:18:22 9216 ----a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2009-12-23 03:18:17 3840 ----a-w- c:\windows\system32\dllcache\rpfun.sys
2009-12-23 03:18:05 79104 ----a-w- c:\windows\system32\dllcache\rocket.sys
2009-12-23 03:17:59 37563 ----a-w- c:\windows\system32\dllcache\rlnet5.sys
2009-12-23 03:17:52 86097 ----a-w- c:\windows\system32\dllcache\reslog32.dll
2009-12-23 03:17:15 19584 ----a-w- c:\windows\system32\dllcache\rasirda.sys
2009-12-23 03:17:04 714762 ----a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2009-12-23 03:17:00 899146 ----a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2009-12-23 03:16:54 41472 ----a-w- c:\windows\system32\dllcache\qvusd.dll
2009-12-23 03:16:45 3328 ----a-w- c:\windows\system32\dllcache\qv2kux.sys
2009-12-23 03:16:22 49024 ----a-w- c:\windows\system32\dllcache\ql1280.sys
2009-12-23 03:16:08 40448 ----a-w- c:\windows\system32\dllcache\ql1240.sys
2009-12-23 03:15:55 45312 ----a-w- c:\windows\system32\dllcache\ql12160.sys
2009-12-23 03:15:44 33152 ----a-w- c:\windows\system32\dllcache\ql10wnt.sys
2009-12-23 03:15:28 40320 ----a-w- c:\windows\system32\dllcache\ql1080.sys
2009-12-23 03:15:24 6016 ----a-w- c:\windows\system32\dllcache\qic157.sys
2009-12-23 03:14:42 130942 ----a-w- c:\windows\system32\dllcache\ptserlv.sys
2009-12-23 03:13:50 112574 ----a-w- c:\windows\system32\dllcache\ptserlp.sys
2009-12-23 03:13:01 128286 ----a-w- c:\windows\system32\dllcache\ptserli.sys
2009-12-23 03:12:43 159232 ----a-w- c:\windows\system32\dllcache\ptpusd.dll
2009-12-23 03:12:08 5632 ----a-w- c:\windows\system32\dllcache\ptpusb.dll
2009-12-23 03:12:01 33280 ----a-w- c:\windows\system32\dllcache\psisrndr.ax
2009-12-23 03:11:52 35328 ----a-w- c:\windows\system32\dllcache\psisload.dll
2009-12-23 03:11:48 363520 ----a-w- c:\windows\system32\dllcache\psisdecd.dll
2009-12-23 03:11:32 16128 ----a-w- c:\windows\system32\dllcache\pscr.sys
2009-12-23 03:11:26 17664 ----a-w- c:\windows\system32\dllcache\ppa3.sys
2009-12-23 03:11:22 17792 ----a-w- c:\windows\system32\dllcache\ppa.sys
2009-12-23 03:11:19 8832 ----a-w- c:\windows\system32\dllcache\powerfil.sys
2009-12-23 03:11:14 7168 ----a-w- c:\windows\system32\dllcache\pnrmc.sys
2009-12-23 03:11:03 121344 ----a-w- c:\windows\system32\dllcache\phvfwext.dll
2009-12-23 03:09:59 29502 ----a-w- c:\windows\system32\dllcache\pca200e.sys
2009-12-23 03:08:58 27209 ----a-w- c:\windows\system32\dllcache\otc06x5.sys
2009-12-23 03:08:47 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys
2009-12-23 03:07:50 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys
2009-12-23 03:07:18 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll
2009-12-23 03:06:44 51552 ----a-w- c:\windows\system32\dllcache\ntgrip.sys
2009-12-23 03:06:37 9344 ----a-w- c:\windows\system32\dllcache\ntapm.sys
2009-12-23 03:06:33 7552 ----a-w- c:\windows\system32\dllcache\nsmmc.sys
2009-12-23 03:06:29 28672 ----a-w- c:\windows\system32\dllcache\nscirda.sys
2009-12-23 03:06:18 87040 ----a-w- c:\windows\system32\dllcache\nm6wdm.sys
2009-12-23 03:06:14 126080 ----a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2009-12-23 03:06:06 32840 ----a-w- c:\windows\system32\dllcache\ngrpci.sys
2009-12-23 03:06:05 132695 ----a-w- c:\windows\system32\dllcache\netwlan5.sys
2009-12-23 03:04:59 19968 ----a-w- c:\windows\system32\dllcache\mxnic.sys
2009-12-23 03:04:55 19968 ----a-w- c:\windows\system32\dllcache\mxicfg.dll
2009-12-23 03:04:52 21888 ----a-w- c:\windows\system32\dllcache\mxcard.sys
2009-12-23 03:04:51 229439 ----a-w- c:\windows\system32\dllcache\multibox.dll
2009-12-23 03:04:34 103296 ----a-w- c:\windows\system32\dllcache\mtxvideo.sys
2009-12-23 03:04:03 49024 ----a-w- c:\windows\system32\dllcache\mstape.sys
2009-12-23 03:03:54 12416 ----a-w- c:\windows\system32\dllcache\msriffwv.sys
2009-12-23 03:03:31 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2009-12-23 03:03:25 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys
2009-12-23 03:03:24 1875968 ----a-w- c:\windows\system32\dllcache\msir3jp.lex
2009-12-23 03:03:23 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll
2009-12-23 03:02:53 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2009-12-23 03:02:00 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys
2009-12-23 03:01:57 56832 ----a-w- c:\windows\system32\dllcache\msdvbnp.ax
2009-12-23 03:01:45 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2009-12-23 03:00:32 17280 ----a-w- c:\windows\system32\dllcache\mraid35x.sys
2009-12-23 03:00:11 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys
2009-12-23 02:59:57 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-12-23 02:59:49 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys
2009-12-23 02:59:31 6528 ----a-w- c:\windows\system32\dllcache\miniqic.sys
2009-12-23 02:59:19 320384 ----a-w- c:\windows\system32\dllcache\mgaum.sys
2009-12-23 02:59:16 235648 ----a-w- c:\windows\system32\dllcache\mgaud.dll
2009-12-23 02:59:13 26112 ----a-w- c:\windows\system32\dllcache\memstpci.sys
2009-12-23 02:59:10 47616 ----a-w- c:\windows\system32\dllcache\memgrp.dll
2009-12-23 02:59:06 8320 ----a-w- c:\windows\system32\dllcache\memcard.sys
2009-12-23 02:57:54 4992 ----a-w- c:\windows\system32\dllcache\loop.sys
2009-12-23 02:57:45 70730 ----a-w- c:\windows\system32\dllcache\lne100tx.sys
2009-12-23 02:57:42 20573 ----a-w- c:\windows\system32\dllcache\lne100.sys
2009-12-23 02:57:37 25065 ----a-w- c:\windows\system32\dllcache\lmndis3.sys
2009-12-23 02:57:34 15744 ----a-w- c:\windows\system32\dllcache\lit220p.sys
2009-12-23 02:57:31 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2009-12-23 02:57:28 26442 ----a-w- c:\windows\system32\dllcache\lanepic5.sys
2009-12-23 02:57:23 19016 ----a-w- c:\windows\system32\dllcache\ktc111.sys
2009-12-23 02:57:12 37376 ----a-w- c:\windows\system32\dllcache\kousd.dll
2009-12-23 02:57:11 1158818 ----a-w- c:\windows\system32\dllcache\korwbrkr.lex
2009-12-23 02:57:10 70656 ----a-w- c:\windows\system32\dllcache\korwbrkr.dll
2009-12-23 02:57:05 253952 ----a-w- c:\windows\system32\dllcache\kdsusd.dll
2009-12-23 02:57:02 48640 ----a-w- c:\windows\system32\dllcache\kdsui.dll
2009-12-23 02:56:12 8192 ----a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-12-23 02:55:15 8704 ----a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-12-23 02:54:49 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-12-23 02:53:56 6144 ----a-w- c:\windows\system32\dllcache\kbd106.dll
2009-12-23 02:53:53 5632 ----a-w- c:\windows\system32\dllcache\kbd103.dll
2009-12-23 02:53:49 6144 ----a-w- c:\windows\system32\dllcache\kbd101c.dll
2009-12-23 02:53:46 6144 ----a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-12-23 02:53:34 26624 ----a-w- c:\windows\system32\dllcache\irstusb.sys
2009-12-23 02:53:31 18688 ----a-w- c:\windows\system32\dllcache\irsir.sys
2009-12-23 02:53:30 28160 ----a-w- c:\windows\system32\dllcache\irmon.dll
2009-12-23 02:53:27 23552 ----a-w- c:\windows\system32\dllcache\irmk7.sys
2009-12-23 02:53:26 151552 ----a-w- c:\windows\system32\dllcache\irftp.exe
2009-12-23 02:53:21 88192 ----a-w- c:\windows\system32\dllcache\irda.sys
2009-12-23 02:51:41 372824 ----a-w- c:\windows\system32\dllcache\iconf32.dll
2009-12-23 02:51:36 100992 ----a-w- c:\windows\system32\dllcache\icam5usb.sys
2009-12-23 02:51:33 20480 ----a-w- c:\windows\system32\dllcache\icam5ext.dll
2009-12-23 02:51:30 45056 ----a-w- c:\windows\system32\dllcache\icam5com.dll
2009-12-23 02:51:27 154496 ----a-w- c:\windows\system32\dllcache\icam4usb.sys
2009-12-23 02:51:24 61952 ----a-w- c:\windows\system32\dllcache\icam4ext.dll
2009-12-23 02:51:21 91136 ----a-w- c:\windows\system32\dllcache\icam4com.dll
2009-12-23 02:51:17 26624 ----a-w- c:\windows\system32\dllcache\icam3ext.dll
2009-12-23 02:51:14 141056 ----a-w- c:\windows\system32\dllcache\icam3.sys
2009-12-23 02:51:10 38528 ----a-w- c:\windows\system32\dllcache\ibmvcap.sys
2009-12-23 02:51:06 109085 ----a-w- c:\windows\system32\dllcache\ibmtrp.sys
2009-12-23 02:51:03 100936 ----a-w- c:\windows\system32\dllcache\ibmtok.sys
2009-12-23 02:50:59 9216 ----a-w- c:\windows\system32\dllcache\ibmsgnet.dll
2009-12-23 02:50:56 28700 ----a-w- c:\windows\system32\dllcache\ibmexmp.sys
2009-12-23 02:50:49 161020 ----a-w- c:\windows\system32\dllcache\i81xnt5.sys
2009-12-23 02:50:48 702845 ----a-w- c:\windows\system32\dllcache\i81xdnt5.dll
2009-12-23 02:50:45 58592 ----a-w- c:\windows\system32\dllcache\i740nt5.sys
2009-12-23 02:50:35 353184 ----a-w- c:\windows\system32\dllcache\i740dnt5.dll
2009-12-23 02:50:34 18560 ----a-w- c:\windows\system32\dllcache\i2omp.sys
2009-12-23 02:50:26 8576 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys
2009-12-23 02:50:14 10129408 ----a-w- c:\windows\system32\dllcache\hwxkor.dll
2009-12-23 02:49:54 10096640 ----a-w- c:\windows\system32\dllcache\hwxcht.dll
2009-12-23 02:49:23 488383 ----a-w- c:\windows\system32\dllcache\hsf_v124.sys
2009-12-23 02:49:20 50751 ----a-w- c:\windows\system32\dllcache\hsf_tone.sys
2009-12-23 02:49:17 73279 ----a-w- c:\windows\system32\dllcache\hsf_spkp.sys
2009-12-23 02:49:13 44863 ----a-w- c:\windows\system32\dllcache\hsf_soar.sys
2009-12-23 02:49:10 57471 ----a-w- c:\windows\system32\dllcache\hsf_samp.sys
2009-12-23 02:49:07 542879 ----a-w- c:\windows\system32\dllcache\hsf_msft.sys
2009-12-23 02:49:02 391199 ----a-w- c:\windows\system32\dllcache\hsf_k56k.sys
2009-12-23 02:47:59 126976 ----a-w- c:\windows\system32\dllcache\hpgt34tk.dll
2009-12-23 02:47:56 101376 ----a-w- c:\windows\system32\dllcache\hpgt34.dll
2009-12-23 02:47:53 48128 ----a-w- c:\windows\system32\dllcache\hpgt33tk.dll
2009-12-23 02:47:50 89088 ----a-w- c:\windows\system32\dllcache\hpgt33.dll
2009-12-23 02:47:47 123392 ----a-w- c:\windows\system32\dllcache\hpgt21tk.dll
2009-12-23 02:47:43 83968 ----a-w- c:\windows\system32\dllcache\hpgt21.dll
2009-12-23 02:47:37 119296 ----a-w- c:\windows\system32\dllcache\hpdigwia.dll
2009-12-23 02:47:19 2688 ----a-w- c:\windows\system32\dllcache\hidswvd.sys
2009-12-23 02:47:19 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2009-12-23 02:47:14 8576 ----a-w- c:\windows\system32\dllcache\hidgame.sys
2009-12-23 02:47:12 20352 ----a-w- c:\windows\system32\dllcache\hidbatt.sys
2009-12-23 02:45:43 92160 ----a-w- c:\windows\system32\dllcache\fuusd.dll
2009-12-23 02:45:40 455296 ----a-w- c:\windows\system32\dllcache\fusbbase.sys
2009-12-23 02:45:37 455680 ----a-w- c:\windows\system32\dllcache\fus2base.sys
2009-12-23 02:45:20 442240 ----a-w- c:\windows\system32\dllcache\fpnpbase.sys
2009-12-23 02:45:16 441728 ----a-w- c:\windows\system32\dllcache\fpcmbase.sys
2009-12-23 02:45:04 444416 ----a-w- c:\windows\system32\dllcache\fpcibase.sys
2009-12-23 02:44:53 34173 ----a-w- c:\windows\system32\dllcache\forehe.sys
2009-12-23 02:44:24 71680 ----a-w- c:\windows\system32\dllcache\fnfilter.dll
2009-12-23 02:44:05 27165 ----a-w- c:\windows\system32\dllcache\fetnd5.sys
2009-12-23 02:43:56 22090 ----a-w- c:\windows\system32\dllcache\fem556n5.sys
2009-12-23 02:43:40 24618 ----a-w- c:\windows\system32\dllcache\fa410nd5.sys
2009-12-23 02:43:38 16074 ----a-w- c:\windows\system32\dllcache\fa312nd5.sys
2009-12-23 02:43:35 11850 ----a-w- c:\windows\system32\dllcache\f3ab18xj.sys
2009-12-23 02:43:33 12362 ----a-w- c:\windows\system32\dllcache\f3ab18xi.sys
2009-12-23 02:43:29 7040 ----a-w- c:\windows\system32\dllcache\exabyte2.sys
2009-12-23 02:43:27 16998 ----a-w- c:\windows\system32\dllcache\ex10.sys
2009-12-23 02:43:19 45568 ----a-w- c:\windows\system32\dllcache\esunib.dll
2009-12-23 02:43:17 45568 ----a-w- c:\windows\system32\dllcache\esuni.dll
2009-12-23 02:43:09 34816 ----a-w- c:\windows\system32\dllcache\esuimg.dll
2009-12-23 02:42:48 43008 ----a-w- c:\windows\system32\dllcache\esucm.dll
2009-12-23 02:42:43 137088 ----a-w- c:\windows\system32\dllcache\essm2e.sys
2009-12-23 02:42:22 63360 ----a-w- c:\windows\system32\dllcache\ess.sys
2009-12-23 02:42:08 347550 ----a-w- c:\windows\system32\dllcache\es56tpi.sys
2009-12-23 02:42:05 594238 ----a-w- c:\windows\system32\dllcache\es56hpi.sys
2009-12-23 02:42:03 595647 ----a-w- c:\windows\system32\dllcache\es56cvmp.sys
2009-12-23 02:42:00 174464 ----a-w- c:\windows\system32\dllcache\es198x.sys
2009-12-23 02:40:58 634134 ----a-w- c:\windows\system32\dllcache\el656ct5.sys
2009-12-23 02:39:59 8704 ----a-w- c:\windows\system32\dllcache\dot4scan.sys
2009-12-23 02:38:55 419357 ----a-w- c:\windows\system32\dllcache\dgconfig.dll
2009-12-23 02:37:59 3072 ----a-w- c:\windows\system32\dllcache\cwbmidi.sys
2009-12-23 02:36:59 838144 ----a-w- c:\windows\system32\dllcache\chtbrkr.dll
2009-12-23 02:35:59 74240 ----a-w- c:\windows\system32\dllcache\camexo20.dll
2009-12-23 02:35:58 73216 ----a-w- c:\windows\system32\dllcache\camexo20.ax
2009-12-23 02:35:57 171264 ----a-w- c:\windows\system32\dllcache\camdrv30.sys
2009-12-23 02:35:56 223232 ----a-w- c:\windows\system32\dllcache\camdrv21.sys
2009-12-23 02:35:51 314752 ----a-w- c:\windows\system32\dllcache\camdro21.sys
2009-12-23 02:33:59 102400 ----a-w- c:\windows\system32\dllcache\binlsvc.dll
2009-12-23 02:32:59 46464 ----a-w- c:\windows\system32\dllcache\atibt829.sys
2009-12-23 02:30:29 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-12-16 02:55:25 0 d-----w- c:\program files\Cobian Backup 9
2009-12-09 08:07:29 443 ----a-w- c:\windows\system32\MRT.INI
2009-12-08 02:07:11 0 d-----w- c:\program files\iPod
2009-12-08 02:06:34 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2009-12-30 19:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 19:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 15:01:30 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-28 14:40:47 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-23 21:35:01 61000 -c--a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\dllcache\raschap.dll
2007-01-22 14:35:48 774144 -c--a-w- c:\program files\RngInterstitial.dll
2006-02-13 02:01:46 423 -c--a-w- c:\program files\.lot
2006-02-13 02:00:38 280000 -c--a-w- c:\program files\allbox4.rpt
2006-02-13 01:59:52 180 -c--a-w- c:\program files\lotto.tmp
2008-09-05 22:40:22 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 15:43:46.18 ===============

Attached Files



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:38 AM

Posted 05 January 2010 - 04:51 AM

Hello Liamsdarlin,

POKER WARNING
--------------------
Your logs show that you have been visiting online poker and casino sites sites with applets installed on your computer. I know that you may use these programs on a regular basis but I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. Due to this I strongly suggest that you uninstall these programmes if you do not use them anymore or did not install these programs yourself on purpose.
There are so many online poker and casino games out there these days that it is close to impossible to keep track of whether a program is infected or not. Should you have installed this online poker game on purpose and wish to continue using this, you may ignore this. Should you decide to uninstall the program, then you can do so by following the below steps:
  • Go to Start > Control Panel > Add or Remove Programs.
  • Remove the following poker and casino programs (if they are present):
    SpadeClub Poker
    Vegas Country Casino
If you are unsure of how to use Add or Remove Programs, the please see this tutorial

UNINSTALL PROGRAMS
--------------------------------
The following programs are unwanted applications. I strongly recommend you to uninstall them.

Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.
Ask Toolbar
Viewpoint Manager (Remove Only)
Viewpoint Media Player

If you are unsure of how to use Add or Remove Programs, then please see this tutorial:
How To Remove An Installed Program From Your Computer


In your next reply, please include the following:
  • A new DDS log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#13 Liamsdarlin

Liamsdarlin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 05 January 2010 - 03:39 PM

Hi elise025,

My dad uses the poker sites. He's asked if it's ok for him to keep Spadeclub and Absolute Poker? Those are the ones he actually uses the most. I think I've gotten rid of all the others he had on here. But the Vegas Country Casino is giving me a hard time trying to uninstall it. When I click on it in Add/Remove Programs it comes up saying "Could not open INSTALL.LOG file". I've checked C:\Program Files to see if it was in there, and I don't see any folders with that name. So, is it possible that my father deleted it wrong? I removed the other things without any problem though.

Oh, there was something else I meant to ask about and keep forgetting. Sometimes I notice that my Firefox disappears from the taskbar. Not always, but it does happen off and on. And the only way I can get it back is when I use alt. + tab. I don't think I've noticed anything else disappearing from the task bar though, so I'm not sure if it's just a problem with Firefox or something else.

Ok, here's the DDS log.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Keri at 14:39:23.51 on Tue 01/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.131 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

{FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Keri\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM7\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Keri\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uDefault_Search_URL =

hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
mSearch Bar =

hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uInternet Connection Wizard,ShellNext =

hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh

networks\veohwebplayer\VeohIEToolbar.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video

compass\SearchRecsPlugin.dll
uRun: [SansaDispatch] c:\documents and settings\keri\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: &Search
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: { - c:\program files\platinumplay\casinogame.exe
IE: {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5}
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} -

c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -

hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=48835
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} - hxxp://www.riverbelle.com/download_helper/Nyoko.cab
DPF: {46C66BBD-E667-4DAD-9682-58050E7C9FDC} - hxxp://www.cdpass.com/cdkey/CDPass.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134271249015
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} - hxxp://cdn.digitalcity.com/video/kdx.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://riverbelle.microgaming.com/freeplay/FlashAX.cab
DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\keri\applic~1\mozilla\firefox\profiles\lgsnsytu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - plugin: c:\documents and settings\keri\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDCE08D86A-A41A-410A-943C-13BABB7DC474", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDA9EDC9ED-603A-4F3F-BBEA-59C8853A3236", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID90D10942-D952-4863-9DD6-A2BDBBAD456E", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID0ECEE744-7B69-4912-AB91-AE76D61ECB04", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDF25635B2-1AB9-47B5-88D1-8877B22C86DE", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID27B7F812-4159-45B9-A389-B7A118A58DE4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDF849DF29-393B-4F8B-99D1-117A70D66FC7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDBF1E9C3D-637C-4171-BD12-28A7360B879A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDDE1C0601-7947-4D7F-A6E5-E68BF6BA1E37", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID4EA0DCCE-4D98-4876-9C6A-E5C563D0820A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID446462BA-2AAD-4C88-BC63-5210E2F31465", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID0862E368-A40E-4E55-83EB-FBC5571BABA4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDD2A96E3C-FFB3-4D38-9AC3-B127527BEA35", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID4B05B39A-9DDC-4650-A7F8-D5B134E5FFE5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDC8E2574A-7BCE-4B93-A22E-61831DFD6DB8", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID659796C0-8B5D-48D7-A4EB-7E6874E26274", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID78071AB5-E729-414E-8D02-9C1D034F82E7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDCC3F71E1-17F3-4C5B-997D-44CA56943197", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDE67D5C78-B2D4-4BA0-8D69-1C7AF4BB08B5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDFC5F3D7A-D321-412C-8A5D-9AD0C8041941", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID6EC5CD16-81BC-4515-9EDD-9265C906F56E", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID67CFB2C5-E491-4395-977B-CD45E4124655", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID73600569-52E6-4760-8BAB-B68202937D98", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDB02EBD42-6885-401A-9389-E089F7DDC872", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDBAE5CB8C-4075-4743-B2E4-78DA8D8CDC64", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID28B07B04-DA99-4FD3-BF27-4972F2B8142B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID0D53448F-D12B-4102-8CE2-697DAE8D6643", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDE3266A47-A141-47B8-AAA8-5F16FB4F8CCD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDB33AB7AF-76D7-4B1C-B709-5D6BF9E7B1C7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID153B7451-0BB5-4B37-95C0-44D89E2F1F2B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID3BBE8E21-0D3D-4BAA-AC6F-C7BCEF750849", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID9B5B4F2D-A7D9-4329-B0FE-92B301A8CAAD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDA5C42921-8CD0-4924-97C3-01B5B0610BC6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID06969252-F90F-4CF2-9074-33772EB64859", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDFBF37655-1236-4C0D-96C5-F94E1724841B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDC1A3F035-B68F-4B2B-9FD5-E36DAAAF26DD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID368F3685-543E-4812-9FDE-96E097E453FC", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID43969873-56AA-4113-84CB-4AB2AEB9AA31", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDA205DD80-63D4-4E41-B785-26EC3D90B97B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID068D43E7-7551-4A2F-AE96-4A38A9AD1953", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDF443E9CB-9EEC-456E-8AE7-F3102D5CD47D", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDE36A7B16-645D-4261-BFF8-3A7E69C5F7A5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID379805E3-E0E2-40DC-B51B-6DC1AE5802AA", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDF6240D69-A06D-44A1-8003-8496CCEF2C53", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID26C3113D-5A71-4F1B-A2CB-BE59E1279DDA", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID92B97F2B-7565-4CE9-9AC7-0598DFD731F8", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID2AA5E7CF-9696-42F0-B76A-8655296EADF2", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID0AAACE0B-ACEF-4781-83F4-BFB52EEC995A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID0D56FF58-A39D-4E8C-A40B-2E3711251772", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID946121C2-11F1-49DD-A7E3-CF793DE827A4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CIDB853303D-1BAB-43F3-9D7D-101D0DA8E7A5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID9E578247-FE29-4F8C-8202-A24A5688CF2A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID6D065A8F-FFC0-4A0F-B863-1D724B8C786B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID4451D291-6940-42CE-9D3C-CA1D4C96549C", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID064B722D-079D-4EBB-B3CF-9FCBF64FFF5D", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID38F8AB0F-5DFB-43D9-889E-8717CC4AB59B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID4EC68CD1-0EF1-4CB9-9EF1-3D64AB266149", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js -

pref("capability.policy.default.ClassID.CID44F96B27-CFAD-41E1-83A1-6B28040C3BDE", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-20 64288]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys

[2009-8-28 102448]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2008-9-28 33792]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091231.017\naveng.sys [2010-1-1 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091231.017\navex15.sys [2010-1-1 1323568]
S3 PCD5SRVC;PCD5SRVC - PCDR Kernel Mode Service Helper Driver;\??\c:\progra~1\pc-doc~1\pcd5srvc.pkms -->

c:\progra~1\pc-doc~1\PCD5SRVC.pkms [?]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-1-23 13952]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-23 28800]

=============== Created Last 30 ================

2010-01-04 17:56:42 0 d-----w- c:\program files\ESET
2010-01-03 20:10:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-03 20:10:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-03 19:31:01 0 d-----w- c:\docume~1\keri\applic~1\Kontiki
2010-01-03 03:31:41 77312 ----a-w- c:\windows\MBR.exe
2010-01-03 03:31:36 261632 ----a-w- c:\windows\PEV.exe
2010-01-03 03:31:33 161792 ----a-w- c:\windows\SWREG.exe
2010-01-03 03:31:30 98816 ----a-w- c:\windows\sed.exe
2010-01-03 03:04:43 0 d-----w- C:\HostsXpert
2009-12-23 03:38:07 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-12-23 03:38:02 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-12-23 03:38:01 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-12-23 03:37:56 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-12-23 03:37:52 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-12-23 03:37:42 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2009-12-23 03:37:33 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2009-12-23 03:37:30 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2009-12-23 03:37:23 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2009-12-23 03:37:19 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2009-12-23 03:36:52 8832 ----a-w- c:\windows\system32\dllcache\wmiacpi.sys
2009-12-23 03:36:48 154624 ----a-w- c:\windows\system32\dllcache\wlluc48.sys
2009-12-23 03:36:42 34890 ----a-w- c:\windows\system32\dllcache\wlandrv2.sys
2009-12-23 03:36:27 771581 ----a-w- c:\windows\system32\dllcache\winacisa.sys
2009-12-23 03:36:09 53760 ----a-w- c:\windows\system32\dllcache\wiamsmud.dll
2009-12-23 03:35:53 701386 ----a-w- c:\windows\system32\dllcache\wdhaalba.sys
2009-12-23 03:35:52 23615 ----a-w- c:\windows\system32\dllcache\wch7xxnt.sys
2009-12-23 03:35:19 31744 ----a-w- c:\windows\system32\dllcache\wceusbsh.sys
2009-12-23 03:34:32 35871 ----a-w- c:\windows\system32\dllcache\wbfirdma.sys
2009-12-23 03:34:03 33599 ----a-w- c:\windows\system32\dllcache\watv04nt.sys
2009-12-23 03:34:01 19551 ----a-w- c:\windows\system32\dllcache\watv02nt.sys
2009-12-23 03:34:00 29311 ----a-w- c:\windows\system32\dllcache\watv01nt.sys
2009-12-23 03:33:55 11775 ----a-w- c:\windows\system32\dllcache\wadv05nt.sys
2009-12-23 03:33:54 12127 ----a-w- c:\windows\system32\dllcache\wadv02nt.sys
2009-12-23 03:33:39 12415 ----a-w- c:\windows\system32\dllcache\wadv01nt.sys
2009-12-23 03:33:31 16925 ----a-w- c:\windows\system32\dllcache\w940nd.sys
2009-12-23 03:33:27 19016 ----a-w- c:\windows\system32\dllcache\w926nd.sys
2009-12-23 03:33:21 19528 ----a-w- c:\windows\system32\dllcache\w840nd.sys
2009-12-23 03:33:13 64605 ----a-w- c:\windows\system32\dllcache\vvoice.sys
2009-12-23 03:33:07 397502 ----a-w- c:\windows\system32\dllcache\vpctcom.sys
2009-12-23 03:32:57 604253 ----a-w- c:\windows\system32\dllcache\vmodem.sys
2009-12-23 03:32:50 249402 ----a-w- c:\windows\system32\dllcache\vinwm.sys
2009-12-23 03:32:43 24576 ----a-w- c:\windows\system32\dllcache\viairda.sys
2009-12-23 03:32:19 687999 ----a-w- c:\windows\system32\dllcache\usrwdxjs.sys
2009-12-23 03:32:02 765884 ----a-w- c:\windows\system32\dllcache\usrti.sys
2009-12-23 03:31:54 113762 ----a-w- c:\windows\system32\dllcache\usrpda.sys
2009-12-23 03:31:50 7556 ----a-w- c:\windows\system32\dllcache\usroslba.sys
2009-12-23 03:31:40 224802 ----a-w- c:\windows\system32\dllcache\usr1807a.sys
2009-12-23 03:31:35 794399 ----a-w- c:\windows\system32\dllcache\usr1806v.sys
2009-12-23 03:31:31 793598 ----a-w- c:\windows\system32\dllcache\usr1806.sys
2009-12-23 03:31:25 794654 ----a-w- c:\windows\system32\dllcache\usr1801.sys
2009-12-23 03:31:22 26112 ----a-w- c:\windows\system32\dllcache\usbser.sys
2009-12-23 03:31:19 32384 ----a-w- c:\windows\system32\dllcache\usb101et.sys
2009-12-23 03:31:12 94720 ----a-w- c:\windows\system32\dllcache\umaxud32.dll
2009-12-23 03:31:08 28160 ----a-w- c:\windows\system32\dllcache\umaxu40.dll
2009-12-23 03:31:04 26624 ----a-w- c:\windows\system32\dllcache\umaxu22.dll
2009-12-23 03:31:00 69632 ----a-w- c:\windows\system32\dllcache\umaxu12.dll
2009-12-23 03:29:56 315520 ----a-w- c:\windows\system32\dllcache\trid3d.dll
2009-12-23 03:29:51 34375 ----a-w- c:\windows\system32\dllcache\tpro4.sys
2009-12-23 03:29:46 42496 ----a-w- c:\windows\system32\dllcache\tp4res.dll
2009-12-23 03:29:44 82944 ----a-w- c:\windows\system32\dllcache\tp4mon.exe
2009-12-23 03:29:40 31744 ----a-w- c:\windows\system32\dllcache\tp4.dll
2009-12-23 03:29:35 4992 ----a-w- c:\windows\system32\dllcache\toside.sys
2009-12-23 03:29:31 230912 ----a-w- c:\windows\system32\dllcache\tosdvd03.sys
2009-12-23 03:29:27 241664 ----a-w- c:\windows\system32\dllcache\tosdvd02.sys
2009-12-23 03:29:22 28232 ----a-w- c:\windows\system32\dllcache\tos4mo.sys
2009-12-23 03:29:17 123995 ----a-w- c:\windows\system32\dllcache\tjisdn.sys
2009-12-23 03:29:11 138528 ----a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2009-12-23 03:29:05 81408 ----a-w- c:\windows\system32\dllcache\tgiul50.dll
2009-12-23 03:29:03 149376 ----a-w- c:\windows\system32\dllcache\tffsport.sys
2009-12-23 03:27:59 10240 ----a-w- c:\windows\system32\dllcache\swpidflt.dll
2009-12-23 03:27:55 10240 ----a-w- c:\windows\system32\dllcache\swpdflt2.dll
2009-12-23 03:27:51 53760 ----a-w- c:\windows\system32\dllcache\sw_wheel.dll
2009-12-23 03:27:47 41472 ----a-w- c:\windows\system32\dllcache\sw_effct.dll
2009-12-23 03:27:42 155648 ----a-w- c:\windows\system32\dllcache\stlnprop.dll
2009-12-23 03:27:38 53248 ----a-w- c:\windows\system32\dllcache\stlncoin.dll
2009-12-23 03:27:34 285760 ----a-w- c:\windows\system32\dllcache\stlnata.sys
2009-12-23 03:27:29 16896 ----a-w- c:\windows\system32\dllcache\stcusb.sys
2009-12-23 03:27:22 48736 ----a-w- c:\windows\system32\dllcache\srwlnd5.sys
2009-12-23 03:27:17 99328 ----a-w- c:\windows\system32\dllcache\srusd.dll
2009-12-23 03:27:09 24660 ----a-w- c:\windows\system32\dllcache\spxupchk.dll
2009-12-23 03:27:03 61824 ----a-w- c:\windows\system32\dllcache\speed.sys
2009-12-23 03:26:59 106584 ----a-w- c:\windows\system32\dllcache\spdports.dll
2009-12-23 03:26:55 19072 ----a-w- c:\windows\system32\dllcache\sparrow.sys
2009-12-23 03:26:50 7552 ----a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-12-23 03:26:47 37040 ----a-w- c:\windows\system32\dllcache\sonypi.sys
2009-12-23 03:26:43 114688 ----a-w- c:\windows\system32\dllcache\sonypi.dll
2009-12-23 03:26:39 20752 ----a-w- c:\windows\system32\dllcache\sonync.sys
2009-12-23 03:26:34 9600 ----a-w- c:\windows\system32\dllcache\sonymc.sys
2009-12-23 03:26:20 7552 ----a-w- c:\windows\system32\dllcache\sonyait.sys
2009-12-23 03:26:19 143422 ----a-w- c:\windows\system32\dllcache\softkey.dll
2009-12-23 03:26:02 7040 ----a-w- c:\windows\system32\dllcache\snyaitmc.sys
2009-12-23 03:25:47 58368 ----a-w- c:\windows\system32\dllcache\smiminib.sys
2009-12-23 03:25:41 147200 ----a-w- c:\windows\system32\dllcache\smidispb.dll
2009-12-23 03:25:37 25034 ----a-w- c:\windows\system32\dllcache\smcpwr2n.sys
2009-12-23 03:25:31 35913 ----a-w- c:\windows\system32\dllcache\smcirda.sys
2009-12-23 03:25:26 24576 ----a-w- c:\windows\system32\dllcache\smc8000n.sys
2009-12-23 03:25:22 6784 ----a-w- c:\windows\system32\dllcache\smbhc.sys
2009-12-23 03:25:21 6912 ----a-w- c:\windows\system32\dllcache\smbclass.sys
2009-12-23 03:25:15 16000 ----a-w- c:\windows\system32\dllcache\smbbatt.sys
2009-12-23 03:25:10 45568 ----a-w- c:\windows\system32\dllcache\smb3w.dll
2009-12-23 03:25:06 33792 ----a-w- c:\windows\system32\dllcache\smb0w.dll
2009-12-23 03:25:02 28672 ----a-w- c:\windows\system32\dllcache\sma0w.dll
2009-12-23 03:24:47 28160 ----a-w- c:\windows\system32\dllcache\sm91w.dll
2009-12-23 03:24:31 63547 ----a-w- c:\windows\system32\dllcache\sla30nd5.sys
2009-12-23 03:24:27 91294 ----a-w- c:\windows\system32\dllcache\skfpwin.sys
2009-12-23 03:24:22 94698 ----a-w- c:\windows\system32\dllcache\sk98xwin.sys
2009-12-23 03:24:18 157696 ----a-w- c:\windows\system32\dllcache\sisv256.dll
2009-12-23 03:24:15 50432 ----a-w- c:\windows\system32\dllcache\sisv.sys
2009-12-23 03:24:07 32768 ----a-w- c:\windows\system32\dllcache\sisnic.sys
2009-12-23 03:24:03 238592 ----a-w- c:\windows\system32\dllcache\sisgrv.dll
2009-12-23 03:23:59 104064 ----a-w- c:\windows\system32\dllcache\sisgrp.sys
2009-12-23 03:23:55 150144 ----a-w- c:\windows\system32\dllcache\sis6306v.dll
2009-12-23 03:23:51 68608 ----a-w- c:\windows\system32\dllcache\sis6306p.sys
2009-12-23 03:23:47 252032 ----a-w- c:\windows\system32\dllcache\sis300iv.dll
2009-12-23 03:23:28 101760 ----a-w- c:\windows\system32\dllcache\sis300ip.sys
2009-12-23 03:23:03 161568 ----a-w- c:\windows\system32\dllcache\sgsmusb.sys
2009-12-23 03:22:59 18400 ----a-w- c:\windows\system32\dllcache\sgsmld.sys
2009-12-23 03:22:55 98080 ----a-w- c:\windows\system32\dllcache\sgiulnt5.sys
2009-12-23 03:22:51 386560 ----a-w- c:\windows\system32\dllcache\sgiul50.dll
2009-12-23 03:22:47 36480 ----a-w- c:\windows\system32\dllcache\sfmanm.sys
2009-12-23 03:22:36 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2009-12-23 03:22:33 17664 ----a-w- c:\windows\system32\dllcache\sermouse.sys
2009-12-23 03:22:16 6912 ----a-w- c:\windows\system32\dllcache\seaddsmc.sys
2009-12-23 03:21:58 11520 ----a-w- c:\windows\system32\dllcache\scsiscan.sys
2009-12-23 03:21:54 11648 ----a-w- c:\windows\system32\dllcache\scsiprnt.sys
2009-12-23 03:21:48 17280 ----a-w- c:\windows\system32\dllcache\scr111.sys
2009-12-23 03:21:44 16640 ----a-w- c:\windows\system32\dllcache\scmstcs.sys
2009-12-23 03:21:39 23936 ----a-w- c:\windows\system32\dllcache\sccmusbm.sys
2009-12-23 03:21:35 23936 ----a-w- c:\windows\system32\dllcache\sccmn50m.sys
2009-12-23 03:21:28 43904 ----a-w- c:\windows\system32\dllcache\sbp2port.sys
2009-12-23 03:21:24 495616 ----a-w- c:\windows\system32\dllcache\sblfx.dll
2009-12-23 03:21:13 75392 ----a-w- c:\windows\system32\dllcache\s3savmxm.sys
2009-12-23 03:21:10 245632 ----a-w- c:\windows\system32\dllcache\s3savmx.dll
2009-12-23 03:21:06 77824 ----a-w- c:\windows\system32\dllcache\s3sav4m.sys
2009-12-23 03:21:02 198400 ----a-w- c:\windows\system32\dllcache\s3sav4.dll
2009-12-23 03:20:58 61504 ----a-w- c:\windows\system32\dllcache\s3sav3dm.sys
2009-12-23 03:20:55 179264 ----a-w- c:\windows\system32\dllcache\s3sav3d.dll
2009-12-23 03:20:51 210496 ----a-w- c:\windows\system32\dllcache\s3mvirge.dll
2009-12-23 03:20:47 62496 ----a-w- c:\windows\system32\dllcache\s3mtrio.dll
2009-12-23 03:20:43 41216 ----a-w- c:\windows\system32\dllcache\s3mt3d.sys
2009-12-23 03:20:39 182272 ----a-w- c:\windows\system32\dllcache\s3mt3d.dll
2009-12-23 03:20:35 166720 ----a-w- c:\windows\system32\dllcache\s3m.sys
2009-12-23 03:20:28 65664 ----a-w- c:\windows\system32\dllcache\s3legacy.sys
2009-12-23 03:19:50 82432 ----a-w- c:\windows\system32\dllcache\rwia450.dll
2009-12-23 03:19:17 79872 ----a-w- c:\windows\system32\dllcache\rwia430.dll
2009-12-23 03:19:10 29696 ----a-w- c:\windows\system32\dllcache\rw450ext.dll
2009-12-23 03:18:55 27648 ----a-w- c:\windows\system32\dllcache\rw430ext.dll
2009-12-23 03:18:36 19017 ----a-w- c:\windows\system32\dllcache\rtl8029.sys
2009-12-23 03:18:32 30720 ----a-w- c:\windows\system32\dllcache\rthwcls.sys
2009-12-23 03:18:22 9216 ----a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2009-12-23 03:18:17 3840 ----a-w- c:\windows\system32\dllcache\rpfun.sys
2009-12-23 03:18:05 79104 ----a-w- c:\windows\system32\dllcache\rocket.sys
2009-12-23 03:17:59 37563 ----a-w- c:\windows\system32\dllcache\rlnet5.sys
2009-12-23 03:17:52 86097 ----a-w- c:\windows\system32\dllcache\reslog32.dll
2009-12-23 03:17:15 19584 ----a-w- c:\windows\system32\dllcache\rasirda.sys
2009-12-23 03:17:04 714762 ----a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2009-12-23 03:17:00 899146 ----a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2009-12-23 03:16:54 41472 ----a-w- c:\windows\system32\dllcache\qvusd.dll
2009-12-23 03:16:45 3328 ----a-w- c:\windows\system32\dllcache\qv2kux.sys
2009-12-23 03:16:22 49024 ----a-w- c:\windows\system32\dllcache\ql1280.sys
2009-12-23 03:16:08 40448 ----a-w- c:\windows\system32\dllcache\ql1240.sys
2009-12-23 03:15:55 45312 ----a-w- c:\windows\system32\dllcache\ql12160.sys
2009-12-23 03:15:44 33152 ----a-w- c:\windows\system32\dllcache\ql10wnt.sys
2009-12-23 03:15:28 40320 ----a-w- c:\windows\system32\dllcache\ql1080.sys
2009-12-23 03:15:24 6016 ----a-w- c:\windows\system32\dllcache\qic157.sys
2009-12-23 03:14:42 130942 ----a-w- c:\windows\system32\dllcache\ptserlv.sys
2009-12-23 03:13:50 112574 ----a-w- c:\windows\system32\dllcache\ptserlp.sys
2009-12-23 03:13:01 128286 ----a-w- c:\windows\system32\dllcache\ptserli.sys
2009-12-23 03:12:43 159232 ----a-w- c:\windows\system32\dllcache\ptpusd.dll
2009-12-23 03:12:08 5632 ----a-w- c:\windows\system32\dllcache\ptpusb.dll
2009-12-23 03:12:01 33280 ----a-w- c:\windows\system32\dllcache\psisrndr.ax
2009-12-23 03:11:52 35328 ----a-w- c:\windows\system32\dllcache\psisload.dll
2009-12-23 03:11:48 363520 ----a-w- c:\windows\system32\dllcache\psisdecd.dll
2009-12-23 03:11:32 16128 ----a-w- c:\windows\system32\dllcache\pscr.sys
2009-12-23 03:11:26 17664 ----a-w- c:\windows\system32\dllcache\ppa3.sys
2009-12-23 03:11:22 17792 ----a-w- c:\windows\system32\dllcache\ppa.sys
2009-12-23 03:11:19 8832 ----a-w- c:\windows\system32\dllcache\powerfil.sys
2009-12-23 03:11:14 7168 ----a-w- c:\windows\system32\dllcache\pnrmc.sys
2009-12-23 03:11:03 121344 ----a-w- c:\windows\system32\dllcache\phvfwext.dll
2009-12-23 03:09:59 29502 ----a-w- c:\windows\system32\dllcache\pca200e.sys
2009-12-23 03:08:58 27209 ----a-w- c:\windows\system32\dllcache\otc06x5.sys
2009-12-23 03:08:47 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys
2009-12-23 03:07:50 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys
2009-12-23 03:07:18 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll
2009-12-23 03:06:44 51552 ----a-w- c:\windows\system32\dllcache\ntgrip.sys
2009-12-23 03:06:37 9344 ----a-w- c:\windows\system32\dllcache\ntapm.sys
2009-12-23 03:06:33 7552 ----a-w- c:\windows\system32\dllcache\nsmmc.sys
2009-12-23 03:06:29 28672 ----a-w- c:\windows\system32\dllcache\nscirda.sys
2009-12-23 03:06:18 87040 ----a-w- c:\windows\system32\dllcache\nm6wdm.sys
2009-12-23 03:06:14 126080 ----a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2009-12-23 03:06:06 32840 ----a-w- c:\windows\system32\dllcache\ngrpci.sys
2009-12-23 03:06:05 132695 ----a-w- c:\windows\system32\dllcache\netwlan5.sys
2009-12-23 03:04:59 19968 ----a-w- c:\windows\system32\dllcache\mxnic.sys
2009-12-23 03:04:55 19968 ----a-w- c:\windows\system32\dllcache\mxicfg.dll
2009-12-23 03:04:52 21888 ----a-w- c:\windows\system32\dllcache\mxcard.sys
2009-12-23 03:04:51 229439 ----a-w- c:\windows\system32\dllcache\multibox.dll
2009-12-23 03:04:34 103296 ----a-w- c:\windows\system32\dllcache\mtxvideo.sys
2009-12-23 03:04:03 49024 ----a-w- c:\windows\system32\dllcache\mstape.sys
2009-12-23 03:03:54 12416 ----a-w- c:\windows\system32\dllcache\msriffwv.sys
2009-12-23 03:03:31 2944 ----a-w- c:\windows\system32\dllcache\msmpu401.sys
2009-12-23 03:03:25 22016 ----a-w- c:\windows\system32\dllcache\msircomm.sys
2009-12-23 03:03:24 1875968 ----a-w- c:\windows\system32\dllcache\msir3jp.lex
2009-12-23 03:03:23 98304 ----a-w- c:\windows\system32\dllcache\msir3jp.dll
2009-12-23 03:02:53 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2009-12-23 03:02:00 6016 ----a-w- c:\windows\system32\dllcache\msfsio.sys
2009-12-23 03:01:57 56832 ----a-w- c:\windows\system32\dllcache\msdvbnp.ax
2009-12-23 03:01:45 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2009-12-23 03:00:32 17280 ----a-w- c:\windows\system32\dllcache\mraid35x.sys
2009-12-23 03:00:11 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys
2009-12-23 02:59:57 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-12-23 02:59:49 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys
2009-12-23 02:59:31 6528 ----a-w- c:\windows\system32\dllcache\miniqic.sys
2009-12-23 02:59:19 320384 ----a-w- c:\windows\system32\dllcache\mgaum.sys
2009-12-23 02:59:16 235648 ----a-w- c:\windows\system32\dllcache\mgaud.dll
2009-12-23 02:59:13 26112 ----a-w- c:\windows\system32\dllcache\memstpci.sys
2009-12-23 02:59:10 47616 ----a-w- c:\windows\system32\dllcache\memgrp.dll
2009-12-23 02:59:06 8320 ----a-w- c:\windows\system32\dllcache\memcard.sys
2009-12-23 02:57:54 4992 ----a-w- c:\windows\system32\dllcache\loop.sys
2009-12-23 02:57:45 70730 ----a-w- c:\windows\system32\dllcache\lne100tx.sys
2009-12-23 02:57:42 20573 ----a-w- c:\windows\system32\dllcache\lne100.sys
2009-12-23 02:57:37 25065 ----a-w- c:\windows\system32\dllcache\lmndis3.sys
2009-12-23 02:57:34 15744 ----a-w- c:\windows\system32\dllcache\lit220p.sys
2009-12-23 02:57:31 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2009-12-23 02:57:28 26442 ----a-w- c:\windows\system32\dllcache\lanepic5.sys
2009-12-23 02:57:23 19016 ----a-w- c:\windows\system32\dllcache\ktc111.sys
2009-12-23 02:57:12 37376 ----a-w- c:\windows\system32\dllcache\kousd.dll
2009-12-23 02:57:11 1158818 ----a-w- c:\windows\system32\dllcache\korwbrkr.lex
2009-12-23 02:57:10 70656 ----a-w- c:\windows\system32\dllcache\korwbrkr.dll
2009-12-23 02:57:05 253952 ----a-w- c:\windows\system32\dllcache\kdsusd.dll
2009-12-23 02:57:02 48640 ----a-w- c:\windows\system32\dllcache\kdsui.dll
2009-12-23 02:56:12 8192 ----a-w- c:\windows\system32\dllcache\kbdkor.dll
2009-12-23 02:55:15 8704 ----a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-12-23 02:54:49 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-12-23 02:53:56 6144 ----a-w- c:\windows\system32\dllcache\kbd106.dll
2009-12-23 02:53:53 5632 ----a-w- c:\windows\system32\dllcache\kbd103.dll
2009-12-23 02:53:49 6144 ----a-w- c:\windows\system32\dllcache\kbd101c.dll
2009-12-23 02:53:46 6144 ----a-w- c:\windows\system32\dllcache\kbd101b.dll
2009-12-23 02:53:34 26624 ----a-w- c:\windows\system32\dllcache\irstusb.sys
2009-12-23 02:53:31 18688 ----a-w- c:\windows\system32\dllcache\irsir.sys
2009-12-23 02:53:30 28160 ----a-w- c:\windows\system32\dllcache\irmon.dll
2009-12-23 02:53:27 23552 ----a-w- c:\windows\system32\dllcache\irmk7.sys
2009-12-23 02:53:26 151552 ----a-w- c:\windows\system32\dllcache\irftp.exe
2009-12-23 02:53:21 88192 ----a-w- c:\windows\system32\dllcache\irda.sys
2009-12-23 02:51:41 372824 ----a-w- c:\windows\system32\dllcache\iconf32.dll
2009-12-23 02:51:36 100992 ----a-w- c:\windows\system32\dllcache\icam5usb.sys
2009-12-23 02:51:33 20480 ----a-w- c:\windows\system32\dllcache\icam5ext.dll
2009-12-23 02:51:30 45056 ----a-w- c:\windows\system32\dllcache\icam5com.dll
2009-12-23 02:51:27 154496 ----a-w- c:\windows\system32\dllcache\icam4usb.sys
2009-12-23 02:51:24 61952 ----a-w- c:\windows\system32\dllcache\icam4ext.dll
2009-12-23 02:51:21 91136 ----a-w- c:\windows\system32\dllcache\icam4com.dll
2009-12-23 02:51:17 26624 ----a-w- c:\windows\system32\dllcache\icam3ext.dll
2009-12-23 02:51:14 141056 ----a-w- c:\windows\system32\dllcache\icam3.sys
2009-12-23 02:51:10 38528 ----a-w- c:\windows\system32\dllcache\ibmvcap.sys
2009-12-23 02:51:06 109085 ----a-w- c:\windows\system32\dllcache\ibmtrp.sys
2009-12-23 02:51:03 100936 ----a-w- c:\windows\system32\dllcache\ibmtok.sys
2009-12-23 02:50:59 9216 ----a-w- c:\windows\system32\dllcache\ibmsgnet.dll
2009-12-23 02:50:56 28700 ----a-w- c:\windows\system32\dllcache\ibmexmp.sys
2009-12-23 02:50:49 161020 ----a-w- c:\windows\system32\dllcache\i81xnt5.sys
2009-12-23 02:50:48 702845 ----a-w- c:\windows\system32\dllcache\i81xdnt5.dll
2009-12-23 02:50:45 58592 ----a-w- c:\windows\system32\dllcache\i740nt5.sys
2009-12-23 02:50:35 353184 ----a-w- c:\windows\system32\dllcache\i740dnt5.dll
2009-12-23 02:50:34 18560 ----a-w- c:\windows\system32\dllcache\i2omp.sys
2009-12-23 02:50:26 8576 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys
2009-12-23 02:50:14 10129408 ----a-w- c:\windows\system32\dllcache\hwxkor.dll
2009-12-23 02:49:54 10096640 ----a-w- c:\windows\system32\dllcache\hwxcht.dll
2009-12-23 02:49:23 488383 ----a-w- c:\windows\system32\dllcache\hsf_v124.sys
2009-12-23 02:49:20 50751 ----a-w- c:\windows\system32\dllcache\hsf_tone.sys
2009-12-23 02:49:17 73279 ----a-w- c:\windows\system32\dllcache\hsf_spkp.sys
2009-12-23 02:49:13 44863 ----a-w- c:\windows\system32\dllcache\hsf_soar.sys
2009-12-23 02:49:10 57471 ----a-w- c:\windows\system32\dllcache\hsf_samp.sys
2009-12-23 02:49:07 542879 ----a-w- c:\windows\system32\dllcache\hsf_msft.sys
2009-12-23 02:49:02 391199 ----a-w- c:\windows\system32\dllcache\hsf_k56k.sys
2009-12-23 02:47:59 126976 ----a-w- c:\windows\system32\dllcache\hpgt34tk.dll
2009-12-23 02:47:56 101376 ----a-w- c:\windows\system32\dllcache\hpgt34.dll
2009-12-23 02:47:53 48128 ----a-w- c:\windows\system32\dllcache\hpgt33tk.dll
2009-12-23 02:47:50 89088 ----a-w- c:\windows\system32\dllcache\hpgt33.dll
2009-12-23 02:47:47 123392 ----a-w- c:\windows\system32\dllcache\hpgt21tk.dll
2009-12-23 02:47:43 83968 ----a-w- c:\windows\system32\dllcache\hpgt21.dll
2009-12-23 02:47:37 119296 ----a-w- c:\windows\system32\dllcache\hpdigwia.dll
2009-12-23 02:47:19 2688 ----a-w- c:\windows\system32\dllcache\hidswvd.sys
2009-12-23 02:47:19 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
2009-12-23 02:47:14 8576 ----a-w- c:\windows\system32\dllcache\hidgame.sys
2009-12-23 02:47:12 20352 ----a-w- c:\windows\system32\dllcache\hidbatt.sys
2009-12-23 02:45:43 92160 ----a-w- c:\windows\system32\dllcache\fuusd.dll
2009-12-23 02:45:40 455296 ----a-w- c:\windows\system32\dllcache\fusbbase.sys
2009-12-23 02:45:37 455680 ----a-w- c:\windows\system32\dllcache\fus2base.sys
2009-12-23 02:45:20 442240 ----a-w- c:\windows\system32\dllcache\fpnpbase.sys
2009-12-23 02:45:16 441728 ----a-w- c:\windows\system32\dllcache\fpcmbase.sys
2009-12-23 02:45:04 444416 ----a-w- c:\windows\system32\dllcache\fpcibase.sys
2009-12-23 02:44:53 34173 ----a-w- c:\windows\system32\dllcache\forehe.sys
2009-12-23 02:44:24 71680 ----a-w- c:\windows\system32\dllcache\fnfilter.dll
2009-12-23 02:44:05 27165 ----a-w- c:\windows\system32\dllcache\fetnd5.sys
2009-12-23 02:43:56 22090 ----a-w- c:\windows\system32\dllcache\fem556n5.sys
2009-12-23 02:43:40 24618 ----a-w- c:\windows\system32\dllcache\fa410nd5.sys
2009-12-23 02:43:38 16074 ----a-w- c:\windows\system32\dllcache\fa312nd5.sys
2009-12-23 02:43:35 11850 ----a-w- c:\windows\system32\dllcache\f3ab18xj.sys
2009-12-23 02:43:33 12362 ----a-w- c:\windows\system32\dllcache\f3ab18xi.sys
2009-12-23 02:43:29 7040 ----a-w- c:\windows\system32\dllcache\exabyte2.sys
2009-12-23 02:43:27 16998 ----a-w- c:\windows\system32\dllcache\ex10.sys
2009-12-23 02:43:19 45568 ----a-w- c:\windows\system32\dllcache\esunib.dll
2009-12-23 02:43:17 45568 ----a-w- c:\windows\system32\dllcache\esuni.dll
2009-12-23 02:43:09 34816 ----a-w- c:\windows\system32\dllcache\esuimg.dll
2009-12-23 02:42:48 43008 ----a-w- c:\windows\system32\dllcache\esucm.dll
2009-12-23 02:42:43 137088 ----a-w- c:\windows\system32\dllcache\essm2e.sys
2009-12-23 02:42:22 63360 ----a-w- c:\windows\system32\dllcache\ess.sys
2009-12-23 02:42:08 347550 ----a-w- c:\windows\system32\dllcache\es56tpi.sys
2009-12-23 02:42:05 594238 ----a-w- c:\windows\system32\dllcache\es56hpi.sys
2009-12-23 02:42:03 595647 ----a-w- c:\windows\system32\dllcache\es56cvmp.sys
2009-12-23 02:42:00 174464 ----a-w- c:\windows\system32\dllcache\es198x.sys
2009-12-23 02:40:58 634134 ----a-w- c:\windows\system32\dllcache\el656ct5.sys
2009-12-23 02:39:59 8704 ----a-w- c:\windows\system32\dllcache\dot4scan.sys
2009-12-23 02:38:55 419357 ----a-w- c:\windows\system32\dllcache\dgconfig.dll
2009-12-23 02:37:59 3072 ----a-w- c:\windows\system32\dllcache\cwbmidi.sys
2009-12-23 02:36:59 838144 ----a-w- c:\windows\system32\dllcache\chtbrkr.dll
2009-12-23 02:35:59 74240 ----a-w- c:\windows\system32\dllcache\camexo20.dll
2009-12-23 02:35:58 73216 ----a-w- c:\windows\system32\dllcache\camexo20.ax
2009-12-23 02:35:57 171264 ----a-w- c:\windows\system32\dllcache\camdrv30.sys
2009-12-23 02:35:56 223232 ----a-w- c:\windows\system32\dllcache\camdrv21.sys
2009-12-23 02:35:51 314752 ----a-w- c:\windows\system32\dllcache\camdro21.sys
2009-12-23 02:33:59 102400 ----a-w- c:\windows\system32\dllcache\binlsvc.dll
2009-12-23 02:32:59 46464 ----a-w- c:\windows\system32\dllcache\atibt829.sys
2009-12-23 02:30:29 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-12-16 02:55:25 0 d-----w- c:\program files\Cobian Backup 9
2009-12-09 08:07:29 443 ----a-w- c:\windows\system32\MRT.INI
2009-12-08 02:07:11 0 d-----w- c:\program files\iPod
2009-12-08 02:06:34 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2009-12-30 19:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 19:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 15:01:30 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-28 14:40:47 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-23 21:35:01 61000 -c--a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\dllcache\raschap.dll
2007-01-22 14:35:48 774144 -c--a-w- c:\program files\RngInterstitial.dll
2006-02-13 02:01:46 423 -c--a-w- c:\program files\.lot
2006-02-13 02:00:38 280000 -c--a-w- c:\program files\allbox4.rpt
2006-02-13 01:59:52 180 -c--a-w- c:\program files\lotto.tmp
2008-09-05 22:40:22 32768 -csha-w- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 14:40:57.35 ===============

Attached Files



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:38 AM

Posted 05 January 2010 - 04:18 PM

Hello Liamsdarlin,

That looks a lot better :)

You can keep the two poker programs but it is at own risk. Remember, its not that these applications are necessarily bad. They are just a huge riskfactor because they are often exploited.

The casino entry was either badly deleted or a leftover, no need to worry about that.

I don't know about the Firefox problem, never heard of it, afaik its not malware related. If it starts becoming really annoying, you can try to uninstall extensions to see if that fixes the problem.


INSTALL FIREWALL
--------------------------
Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Outpost Firewall Free, Sygate Personal Firewall Free or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note - If you connect to the internet using a router, you are already behind a hardware firewall.

Note: You should only have one firewall installed at a time. Having more than one firewall program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.


ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
  • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
  • Delete DDS, GMER (this is a random named file) and RootRepeal.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:
Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#15 Liamsdarlin

Liamsdarlin
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 06 January 2010 - 12:17 AM

Hi elise025,

Thank you so much for helping and all the recommendations. I've installed ZoneAlarm for a firewall. And I installed Spyware Blaster, checked updates for windows and my other software. I have Symantect, MBAM and ad-aware, not sure if I should also download Superantispyware too. I'll check out those links you posted as well. The only other thing is what about the files that keep coming up in auto-protect? That's still happening.

Thank you again :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users