GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-12-10 14:59:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-7 SAMSUNG_HD103SJ rev.1AJ10001 931,51GB Running: gmer.exe; Driver: C:\Users\mati\AppData\Local\Temp\ugldapob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800037ab000 15 bytes [E8, 7B, ED, F2, FF, BA, 50, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544 fffff800037ab010 31 bytes [05, 00, 48, 8B, DF, 48, 3B, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000149ca0460 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000149ca0450 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000149ca0370 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000149ca0470 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000149ca03e0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000149ca0320 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000149ca03b0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000149ca0390 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000149ca02e0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000149ca02d0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000149ca0310 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000149ca03c0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000149ca03f0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000149ca0230 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000149ca0480 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000149ca03a0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000149ca02f0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000149ca0350 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000149ca0290 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000149ca02b0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000149ca03d0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000149ca0330 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000149ca0410 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000149ca0240 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000149ca01e0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000149ca0250 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000149ca0490 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000149ca04a0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000149ca0300 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000149ca0360 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000149ca02a0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000149ca02c0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000149ca0380 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000149ca0340 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000149ca0440 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000149ca0260 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000149ca0270 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000149ca0400 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000149ca01f0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000149ca0210 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000149ca0200 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000149ca0420 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000149ca0430 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000149ca0220 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000149ca0280 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\wininit.exe[492] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000149ca0460 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000149ca0450 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000149ca0370 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000149ca0470 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000149ca03e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000149ca0320 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000149ca03b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000149ca0390 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000149ca02e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000149ca02d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000149ca0310 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000149ca03c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000149ca03f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000149ca0230 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000149ca0480 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000149ca03a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000149ca02f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000149ca0350 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000149ca0290 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000149ca02b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000149ca03d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000149ca0330 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000149ca0410 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000149ca0240 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000149ca01e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000149ca0250 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000149ca0490 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000149ca04a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000149ca0300 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000149ca0360 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000149ca02a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000149ca02c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000149ca0380 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000149ca0340 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000149ca0440 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000149ca0260 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000149ca0270 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000149ca0400 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000149ca01f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000149ca0210 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000149ca0200 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000149ca0420 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000149ca0430 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000149ca0220 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000149ca0280 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\services.exe[548] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\lsass.exe[568] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\winlogon.exe[660] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\svchost.exe[732] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[828] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\atiesrxx.exe[892] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[956] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[436] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1472] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007681a2ba 1 byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076381465 2 bytes [38, 76] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763814bb 2 bytes [38, 76] .text ... * 2 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\System32\spoolsv.exe[1664] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\taskhost.exe[1740] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\Dwm.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\Explorer.EXE[1852] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\Explorer.EXE[1852] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1976] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007681a2ba 1 byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[2000] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2028] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007681a2ba 1 byte [62] .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\taskeng.exe[2036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text c:\Program Files\Bonjour\mDNSResponder.exe[2184] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[2272] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe[2324] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007681a2ba 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2348] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007681a2ba 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2348] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000733a1a22 2 bytes [3A, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2348] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000733a1ad0 2 bytes [3A, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2348] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000733a1b08 2 bytes [3A, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2348] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000733a1bba 2 bytes [3A, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2348] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000733a1bda 2 bytes [3A, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2348] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076381465 2 bytes [38, 76] .text C:\Windows\SysWOW64\PnkBstrA.exe[2348] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763814bb 2 bytes [38, 76] .text ... * 2 .text C:\Program Files (x86)\Prime95\prime95.exe[2384] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007681a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[2440] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[2468] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000100070460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000100070450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000100070370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000100070470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 00000001000703e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000100070320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 00000001000703b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000100070390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 00000001000702e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 00000001000702d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000100070310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 00000001000703c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 00000001000703f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000100070230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000100070480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 00000001000703a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 00000001000702f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000100070350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000100070290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 00000001000702b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 00000001000703d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000100070330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000100070410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000100070240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 00000001000701e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000100070250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000100070490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 00000001000704a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000100070300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000100070360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 00000001000702a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 00000001000702c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000100070380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000100070340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000100070440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000100070260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000100070270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000100070400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 00000001000701f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000100070210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000100070200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000100070420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000100070430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000100070220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000100070280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2492] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe[2668] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2696] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007681a2ba 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076381465 2 bytes [38, 76] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2696] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763814bb 2 bytes [38, 76] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\SearchIndexer.exe[3896] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[2140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\AUDIODG.EXE[2284] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Users\mati\Downloads\FRST64.exe[4268] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d0eecd 1 byte [62] .text C:\Users\mati\AppData\Local\Temp\Rar$EX00.675\gmer.exe[4592] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007681a2ba 1 byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!memset] [3b4908c68348d1ff] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!memcpy] [ef850fc33be572f6] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!_amsg_exit] [41070d8d480000] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!free] [5c70000037ae800] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!_initterm] [200004f40] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!malloc] [48c38b480a75eb3b] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!_XcptFilter] [394800004f220587] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!iswdigit] [ea850f000056eb1d] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!toupper] [4f1b3d01000011] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!_vsnwprintf] [58b00000083e900] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!_wcsnicmp] [8e0fc33b00004f10] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[msvcrt.dll!wcschr] [2b017b8d0000119e] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!RtlCaptureContext] [3db10f48f0c03300] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!RtlLookupFunctionEntry] [114d850f00004ee4] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!EtwTraceMessage] [4ee8058b0000] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!EtwEventWrite] [114f850f02f883] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!EtwEventUnregister] [4ef82d8b4800] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!NtClose] [358b482d74eb3b48] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!RtlNtStatusToDosError] [f8c6834800004ee4] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!NtCreateFile] [3c830ff53b4800eb] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!EtwEventRegister] [15ffcd8b48000011] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!NtFsControlFile] [c51d894800003eec] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!RtlInitUnicodeString] [4ec61d894800004e] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[ntdll.dll!RtlVirtualUnwind] [4ea01d890000] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!UnhandledExceptionFilter] [9090909090909090] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetProcAddress] [9090909090909090] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!FreeLibrary] [6c894808245c8948] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!SetLastError] [5541544157561024] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!LocalFree] [db3320ec83485641] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!LocalAlloc] [d33be98b4ce08b4d] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetLastError] [1bf000000c0840f] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!Sleep] [36850fd73b000000] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!DisableThreadLibraryCalls] [25048b4865000001] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!DelayLoadFailureHook] [8b48eb8b00000030] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!QueryPerformanceCounter] [48f0c03300eb0870] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetTickCount] [f00004fa135b10f] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetCurrentThreadId] [8b00eb0000124485] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetCurrentProcessId] [fc33b00004fa305] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [358d480000125185] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!TerminateProcess] [65358d4c0000415c] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!GetCurrentProcess] [4f873d89000041] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [2373f63b49c38b00] IAT C:\Windows\Explorer.EXE[1852] @ C:\Windows\System32\DAVHLPR.dll[KERNEL32.dll!LoadLibraryExA] [120a850fc33b] ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\rundll32.exe [1816:1272] 0000000077002e65 Thread C:\Windows\SysWOW64\rundll32.exe [1816:1616] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:1212] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:1800] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:1344] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:1348] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:1228] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:1928] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:2052] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:2056] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:2060] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:2064] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:2068] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:2072] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:2076] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:2080] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:2084] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:2088] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:2092] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:2096] 000000007055dd78 Thread C:\Windows\SysWOW64\rundll32.exe [1816:2100] 000000007055dd78 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1824:3232] 000007fefb112a7c ---- Services - GMER 2.1 ---- Service C:\Windows\system32\drivers\aswFsBlk.sys (*** hidden *** ) [AUTO] aswFsBlk <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswKbd.sys (*** hidden *** ) [SYSTEM] aswKbd <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswMonFlt.sys (*** hidden *** ) [AUTO] aswMonFlt <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswRdr2.sys (*** hidden *** ) [SYSTEM] aswRdr <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswRvrt.sys (*** hidden *** ) [BOOT] aswRvrt <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSnx.sys (*** hidden *** ) [SYSTEM] aswSnx <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSP.sys (*** hidden *** ) [SYSTEM] aswSP <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswTdi.sys (*** hidden *** ) [SYSTEM] aswTdi <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswVmm.sys (*** hidden *** ) [BOOT] aswVmm <-- ROOTKIT !!! Service C:\Program Files\AVAST Software\Avast\AvastSvc.exe (*** hidden *** ) [AUTO] avast! Antivirus <-- ROOTKIT !!! Service C:\Program Files\AVAST Software\Avast\afwServ.exe (*** hidden *** ) [AUTO] avast! Firewall <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 7 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ImagePath \??\C:\Windows\system32\drivers\aswFsBlk.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description Avast! Mini-filter Driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Tag 6 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@ImagePath \??\C:\Windows\system32\drivers\aswKbd.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \??\C:\Windows\system32\drivers\aswRdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 79 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 556515 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ImagePath \??\C:\Windows\system32\drivers\aswSnx.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ImagePath \??\C:\Windows\system32\drivers\aswSP.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \??\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \??\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 6 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ImagePath \??\C:\Windows\system32\drivers\aswTdi.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 288 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje os?ony dzia?aj?ce w czasie rzeczywistym, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ImagePath "C:\Program Files\AVAST Software\Avast\afwServ.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Description Implements main functionality for avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 7 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ImagePath \??\C:\Windows\system32\drivers\aswFsBlk.sys Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description Avast! Mini-filter Driver Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Tag 6 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@ImagePath \??\C:\Windows\system32\drivers\aswKbd.sys Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \??\C:\Windows\system32\drivers\aswRdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 79 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 556515 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ImagePath \??\C:\Windows\system32\drivers\aswSnx.sys Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ImagePath \??\C:\Windows\system32\drivers\aswSP.sys Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \??\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \??\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 6 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ImagePath \??\C:\Windows\system32\drivers\aswTdi.sys Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName aswTdi Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description aswTdi Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 288 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje os?ony dzia?aj?ce w czasie rzeczywistym, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ImagePath "C:\Program Files\AVAST Software\Avast\afwServ.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Description Implements main functionality for avast! Firewall ---- EOF - GMER 2.1 ----