GMER 2.1.19324 - http://www.gmer.net Rootkit scan 2014-01-21 00:12:42 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST640LM0 rev.2AR1 596,17GB Running: gmer.exe; Driver: C:\Users\agata\AppData\Local\Temp\uwldapob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800033f4000 72 bytes [00, 00, 08, 02, 44, 57, 50, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 601 fffff800033f4049 13 bytes [EA, 23, 0A, 80, FA, FF, FF, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779c1360 5 bytes JMP 0000000077b20460 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779c13b0 5 bytes JMP 0000000077b20450 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779c1510 5 bytes JMP 0000000077b20370 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779c1560 5 bytes JMP 0000000077b20470 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779c1570 5 bytes JMP 0000000077b203e0 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779c1620 5 bytes JMP 0000000077b20320 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 5 bytes JMP 0000000077b203b0 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779c1670 5 bytes JMP 0000000077b20390 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779c16b0 5 bytes JMP 0000000077b202e0 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779c1730 5 bytes JMP 0000000077b202d0 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 5 bytes JMP 0000000077b20310 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 5 bytes JMP 0000000077b203c0 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779c17e0 5 bytes JMP 0000000077b203f0 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779c1940 5 bytes JMP 0000000077b20230 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c1b00 5 bytes JMP 0000000077b20480 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779c1b30 5 bytes JMP 0000000077b203a0 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779c1c10 5 bytes JMP 0000000077b202f0 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779c1c20 5 bytes JMP 0000000077b20350 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779c1c80 5 bytes JMP 0000000077b20290 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779c1d10 5 bytes JMP 0000000077b202b0 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 5 bytes JMP 0000000077b203d0 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779c1d40 5 bytes JMP 0000000077b20330 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779c1db0 5 bytes JMP 0000000077b20410 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779c1de0 5 bytes JMP 0000000077b20240 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779c20a0 5 bytes JMP 0000000077b201e0 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779c2160 5 bytes JMP 0000000077b20250 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779c2190 5 bytes JMP 0000000077b20490 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779c21a0 5 bytes JMP 0000000077b204a0 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779c21d0 5 bytes JMP 0000000077b20300 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779c21e0 5 bytes JMP 0000000077b20360 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779c2240 5 bytes JMP 0000000077b202a0 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779c2290 5 bytes JMP 0000000077b202c0 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779c22c0 5 bytes JMP 0000000077b20380 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779c22d0 5 bytes JMP 0000000077b20340 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 5 bytes JMP 0000000077b20440 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779c27c0 5 bytes JMP 0000000077b20260 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779c27d0 5 bytes JMP 0000000077b20270 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 5 bytes JMP 0000000077b20400 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 5 bytes JMP 0000000077b201f0 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779c29b0 5 bytes JMP 0000000077b20210 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779c2a20 5 bytes JMP 0000000077b20200 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779c2a80 5 bytes JMP 0000000077b20420 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779c2a90 5 bytes JMP 0000000077b20430 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779c2aa0 5 bytes JMP 0000000077b20220 .text C:\Windows\system32\services.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779c2b80 5 bytes JMP 0000000077b20280 .text C:\Windows\system32\services.exe[764] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779c1360 5 bytes JMP 0000000077b20460 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779c13b0 5 bytes JMP 0000000077b20450 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779c1510 5 bytes JMP 0000000077b20370 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779c1560 5 bytes JMP 0000000077b20470 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779c1570 5 bytes JMP 0000000077b203e0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779c1620 5 bytes JMP 0000000077b20320 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 5 bytes JMP 0000000077b203b0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779c1670 5 bytes JMP 0000000077b20390 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779c16b0 5 bytes JMP 0000000077b202e0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779c1730 5 bytes JMP 0000000077b202d0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 5 bytes JMP 0000000077b20310 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 5 bytes JMP 0000000077b203c0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779c17e0 5 bytes JMP 0000000077b203f0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779c1940 5 bytes JMP 0000000077b20230 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c1b00 5 bytes JMP 0000000077b20480 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779c1b30 5 bytes JMP 0000000077b203a0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779c1c10 5 bytes JMP 0000000077b202f0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779c1c20 5 bytes JMP 0000000077b20350 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779c1c80 5 bytes JMP 0000000077b20290 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779c1d10 5 bytes JMP 0000000077b202b0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 5 bytes JMP 0000000077b203d0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779c1d40 5 bytes JMP 0000000077b20330 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779c1db0 5 bytes JMP 0000000077b20410 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779c1de0 5 bytes JMP 0000000077b20240 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779c20a0 5 bytes JMP 0000000077b201e0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779c2160 5 bytes JMP 0000000077b20250 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779c2190 5 bytes JMP 0000000077b20490 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779c21a0 5 bytes JMP 0000000077b204a0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779c21d0 5 bytes JMP 0000000077b20300 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779c21e0 5 bytes JMP 0000000077b20360 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779c2240 5 bytes JMP 0000000077b202a0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779c2290 5 bytes JMP 0000000077b202c0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779c22c0 5 bytes JMP 0000000077b20380 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779c22d0 5 bytes JMP 0000000077b20340 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 5 bytes JMP 0000000077b20440 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779c27c0 5 bytes JMP 0000000077b20260 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779c27d0 5 bytes JMP 0000000077b20270 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 5 bytes JMP 0000000077b20400 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 5 bytes JMP 0000000077b201f0 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779c29b0 5 bytes JMP 0000000077b20210 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779c2a20 5 bytes JMP 0000000077b20200 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779c2a80 5 bytes JMP 0000000077b20420 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779c2a90 5 bytes JMP 0000000077b20430 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779c2aa0 5 bytes JMP 0000000077b20220 .text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779c2b80 5 bytes JMP 0000000077b20280 .text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779c1360 5 bytes JMP 0000000077b20460 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779c13b0 5 bytes JMP 0000000077b20450 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779c1510 5 bytes JMP 0000000077b20370 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779c1560 5 bytes JMP 0000000077b20470 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779c1570 5 bytes JMP 0000000077b203e0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779c1620 5 bytes JMP 0000000077b20320 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 5 bytes JMP 0000000077b203b0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779c1670 5 bytes JMP 0000000077b20390 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779c16b0 5 bytes JMP 0000000077b202e0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779c1730 5 bytes JMP 0000000077b202d0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 5 bytes JMP 0000000077b20310 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 5 bytes JMP 0000000077b203c0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779c17e0 5 bytes JMP 0000000077b203f0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779c1940 5 bytes JMP 0000000077b20230 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c1b00 5 bytes JMP 0000000077b20480 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779c1b30 5 bytes JMP 0000000077b203a0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779c1c10 5 bytes JMP 0000000077b202f0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779c1c20 5 bytes JMP 0000000077b20350 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779c1c80 5 bytes JMP 0000000077b20290 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779c1d10 5 bytes JMP 0000000077b202b0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 5 bytes JMP 0000000077b203d0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779c1d40 5 bytes JMP 0000000077b20330 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779c1db0 5 bytes JMP 0000000077b20410 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779c1de0 5 bytes JMP 0000000077b20240 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779c20a0 5 bytes JMP 0000000077b201e0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779c2160 5 bytes JMP 0000000077b20250 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779c2190 5 bytes JMP 0000000077b20490 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779c21a0 5 bytes JMP 0000000077b204a0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779c21d0 5 bytes JMP 0000000077b20300 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779c21e0 5 bytes JMP 0000000077b20360 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779c2240 5 bytes JMP 0000000077b202a0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779c2290 5 bytes JMP 0000000077b202c0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779c22c0 5 bytes JMP 0000000077b20380 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779c22d0 5 bytes JMP 0000000077b20340 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 5 bytes JMP 0000000077b20440 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779c27c0 5 bytes JMP 0000000077b20260 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779c27d0 5 bytes JMP 0000000077b20270 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 5 bytes JMP 0000000077b20400 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 5 bytes JMP 0000000077b201f0 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779c29b0 5 bytes JMP 0000000077b20210 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779c2a20 5 bytes JMP 0000000077b20200 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779c2a80 5 bytes JMP 0000000077b20420 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779c2a90 5 bytes JMP 0000000077b20430 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779c2aa0 5 bytes JMP 0000000077b20220 .text C:\Windows\system32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779c2b80 5 bytes JMP 0000000077b20280 .text C:\Windows\system32\svchost.exe[936] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779c1360 5 bytes JMP 0000000077b20460 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779c13b0 5 bytes JMP 0000000077b20450 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779c1510 5 bytes JMP 0000000077b20370 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779c1560 5 bytes JMP 0000000077b20470 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779c1570 5 bytes JMP 0000000077b203e0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779c1620 5 bytes JMP 0000000077b20320 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 5 bytes JMP 0000000077b203b0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779c1670 5 bytes JMP 0000000077b20390 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779c16b0 5 bytes JMP 0000000077b202e0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779c1730 5 bytes JMP 0000000077b202d0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 5 bytes JMP 0000000077b20310 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 5 bytes JMP 0000000077b203c0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779c17e0 5 bytes JMP 0000000077b203f0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779c1940 5 bytes JMP 0000000077b20230 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c1b00 5 bytes JMP 0000000077b20480 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779c1b30 5 bytes JMP 0000000077b203a0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779c1c10 5 bytes JMP 0000000077b202f0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779c1c20 5 bytes JMP 0000000077b20350 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779c1c80 5 bytes JMP 0000000077b20290 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779c1d10 5 bytes JMP 0000000077b202b0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 5 bytes JMP 0000000077b203d0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779c1d40 5 bytes JMP 0000000077b20330 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779c1db0 5 bytes JMP 0000000077b20410 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779c1de0 5 bytes JMP 0000000077b20240 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779c20a0 5 bytes JMP 0000000077b201e0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779c2160 5 bytes JMP 0000000077b20250 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779c2190 5 bytes JMP 0000000077b20490 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779c21a0 5 bytes JMP 0000000077b204a0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779c21d0 5 bytes JMP 0000000077b20300 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779c21e0 5 bytes JMP 0000000077b20360 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779c2240 5 bytes JMP 0000000077b202a0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779c2290 5 bytes JMP 0000000077b202c0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779c22c0 5 bytes JMP 0000000077b20380 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779c22d0 5 bytes JMP 0000000077b20340 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 5 bytes JMP 0000000077b20440 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779c27c0 5 bytes JMP 0000000077b20260 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779c27d0 5 bytes JMP 0000000077b20270 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 5 bytes JMP 0000000077b20400 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 5 bytes JMP 0000000077b201f0 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779c29b0 5 bytes JMP 0000000077b20210 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779c2a20 5 bytes JMP 0000000077b20200 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779c2a80 5 bytes JMP 0000000077b20420 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779c2a90 5 bytes JMP 0000000077b20430 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779c2aa0 5 bytes JMP 0000000077b20220 .text C:\Windows\System32\svchost.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779c2b80 5 bytes JMP 0000000077b20280 .text C:\Windows\System32\svchost.exe[616] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779c1360 5 bytes JMP 0000000077b20460 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779c13b0 5 bytes JMP 0000000077b20450 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779c1510 5 bytes JMP 0000000077b20370 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779c1560 5 bytes JMP 0000000077b20470 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779c1570 5 bytes JMP 0000000077b203e0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779c1620 5 bytes JMP 0000000077b20320 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 5 bytes JMP 0000000077b203b0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779c1670 5 bytes JMP 0000000077b20390 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779c16b0 5 bytes JMP 0000000077b202e0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779c1730 5 bytes JMP 0000000077b202d0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 5 bytes JMP 0000000077b20310 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 5 bytes JMP 0000000077b203c0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779c17e0 5 bytes JMP 0000000077b203f0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779c1940 5 bytes JMP 0000000077b20230 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c1b00 5 bytes JMP 0000000077b20480 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779c1b30 5 bytes JMP 0000000077b203a0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779c1c10 5 bytes JMP 0000000077b202f0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779c1c20 5 bytes JMP 0000000077b20350 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779c1c80 5 bytes JMP 0000000077b20290 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779c1d10 5 bytes JMP 0000000077b202b0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 5 bytes JMP 0000000077b203d0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779c1d40 5 bytes JMP 0000000077b20330 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779c1db0 5 bytes JMP 0000000077b20410 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779c1de0 5 bytes JMP 0000000077b20240 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779c20a0 5 bytes JMP 0000000077b201e0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779c2160 5 bytes JMP 0000000077b20250 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779c2190 5 bytes JMP 0000000077b20490 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779c21a0 5 bytes JMP 0000000077b204a0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779c21d0 5 bytes JMP 0000000077b20300 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779c21e0 5 bytes JMP 0000000077b20360 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779c2240 5 bytes JMP 0000000077b202a0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779c2290 5 bytes JMP 0000000077b202c0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779c22c0 5 bytes JMP 0000000077b20380 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779c22d0 5 bytes JMP 0000000077b20340 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 5 bytes JMP 0000000077b20440 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779c27c0 5 bytes JMP 0000000077b20260 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779c27d0 5 bytes JMP 0000000077b20270 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 5 bytes JMP 0000000077b20400 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 5 bytes JMP 0000000077b201f0 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779c29b0 5 bytes JMP 0000000077b20210 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779c2a20 5 bytes JMP 0000000077b20200 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779c2a80 5 bytes JMP 0000000077b20420 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779c2a90 5 bytes JMP 0000000077b20430 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779c2aa0 5 bytes JMP 0000000077b20220 .text C:\Windows\System32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779c2b80 5 bytes JMP 0000000077b20280 .text C:\Windows\System32\svchost.exe[876] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779c1360 5 bytes JMP 0000000077b20460 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779c13b0 5 bytes JMP 0000000077b20450 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779c1510 5 bytes JMP 0000000077b20370 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779c1560 5 bytes JMP 0000000077b20470 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779c1570 5 bytes JMP 0000000077b203e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779c1620 5 bytes JMP 0000000077b20320 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 5 bytes JMP 0000000077b203b0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779c1670 5 bytes JMP 0000000077b20390 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779c16b0 5 bytes JMP 0000000077b202e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779c1730 5 bytes JMP 0000000077b202d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 5 bytes JMP 0000000077b20310 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 5 bytes JMP 0000000077b203c0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779c17e0 5 bytes JMP 0000000077b203f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779c1940 5 bytes JMP 0000000077b20230 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c1b00 5 bytes JMP 0000000077b20480 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779c1b30 5 bytes JMP 0000000077b203a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779c1c10 5 bytes JMP 0000000077b202f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779c1c20 5 bytes JMP 0000000077b20350 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779c1c80 5 bytes JMP 0000000077b20290 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779c1d10 5 bytes JMP 0000000077b202b0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 5 bytes JMP 0000000077b203d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779c1d40 5 bytes JMP 0000000077b20330 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779c1db0 5 bytes JMP 0000000077b20410 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779c1de0 5 bytes JMP 0000000077b20240 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779c20a0 5 bytes JMP 0000000077b201e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779c2160 5 bytes JMP 0000000077b20250 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779c2190 5 bytes JMP 0000000077b20490 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779c21a0 5 bytes JMP 0000000077b204a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779c21d0 5 bytes JMP 0000000077b20300 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779c21e0 5 bytes JMP 0000000077b20360 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779c2240 5 bytes JMP 0000000077b202a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779c2290 5 bytes JMP 0000000077b202c0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779c22c0 5 bytes JMP 0000000077b20380 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779c22d0 5 bytes JMP 0000000077b20340 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 5 bytes JMP 0000000077b20440 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779c27c0 5 bytes JMP 0000000077b20260 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779c27d0 5 bytes JMP 0000000077b20270 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 5 bytes JMP 0000000077b20400 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 5 bytes JMP 0000000077b201f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779c29b0 5 bytes JMP 0000000077b20210 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779c2a20 5 bytes JMP 0000000077b20200 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779c2a80 5 bytes JMP 0000000077b20420 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779c2a90 5 bytes JMP 0000000077b20430 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779c2aa0 5 bytes JMP 0000000077b20220 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779c2b80 5 bytes JMP 0000000077b20280 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779c1360 5 bytes JMP 0000000077b20460 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779c13b0 5 bytes JMP 0000000077b20450 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779c1510 5 bytes JMP 0000000077b20370 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779c1560 5 bytes JMP 0000000077b20470 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779c1570 5 bytes JMP 0000000077b203e0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779c1620 5 bytes JMP 0000000077b20320 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 5 bytes JMP 0000000077b203b0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779c1670 5 bytes JMP 0000000077b20390 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779c16b0 5 bytes JMP 0000000077b202e0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779c1730 5 bytes JMP 0000000077b202d0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 5 bytes JMP 0000000077b20310 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 5 bytes JMP 0000000077b203c0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779c17e0 5 bytes JMP 0000000077b203f0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779c1940 5 bytes JMP 0000000077b20230 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c1b00 5 bytes JMP 0000000077b20480 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779c1b30 5 bytes JMP 0000000077b203a0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779c1c10 5 bytes JMP 0000000077b202f0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779c1c20 5 bytes JMP 0000000077b20350 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779c1c80 5 bytes JMP 0000000077b20290 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779c1d10 5 bytes JMP 0000000077b202b0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 5 bytes JMP 0000000077b203d0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779c1d40 5 bytes JMP 0000000077b20330 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779c1db0 5 bytes JMP 0000000077b20410 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779c1de0 5 bytes JMP 0000000077b20240 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779c20a0 5 bytes JMP 0000000077b201e0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779c2160 5 bytes JMP 0000000077b20250 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779c2190 5 bytes JMP 0000000077b20490 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779c21a0 5 bytes JMP 0000000077b204a0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779c21d0 5 bytes JMP 0000000077b20300 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779c21e0 5 bytes JMP 0000000077b20360 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779c2240 5 bytes JMP 0000000077b202a0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779c2290 5 bytes JMP 0000000077b202c0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779c22c0 5 bytes JMP 0000000077b20380 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779c22d0 5 bytes JMP 0000000077b20340 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 5 bytes JMP 0000000077b20440 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779c27c0 5 bytes JMP 0000000077b20260 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779c27d0 5 bytes JMP 0000000077b20270 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 5 bytes JMP 0000000077b20400 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 5 bytes JMP 0000000077b201f0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779c29b0 5 bytes JMP 0000000077b20210 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779c2a20 5 bytes JMP 0000000077b20200 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779c2a80 5 bytes JMP 0000000077b20420 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779c2a90 5 bytes JMP 0000000077b20430 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779c2aa0 5 bytes JMP 0000000077b20220 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779c2b80 5 bytes JMP 0000000077b20280 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779c1360 5 bytes JMP 0000000077b20460 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779c13b0 5 bytes JMP 0000000077b20450 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779c1510 5 bytes JMP 0000000077b20370 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779c1560 5 bytes JMP 0000000077b20470 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779c1570 5 bytes JMP 0000000077b203e0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779c1620 5 bytes JMP 0000000077b20320 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 5 bytes JMP 0000000077b203b0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779c1670 5 bytes JMP 0000000077b20390 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779c16b0 5 bytes JMP 0000000077b202e0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779c1730 5 bytes JMP 0000000077b202d0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 5 bytes JMP 0000000077b20310 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 5 bytes JMP 0000000077b203c0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779c17e0 5 bytes JMP 0000000077b203f0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779c1940 5 bytes JMP 0000000077b20230 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c1b00 5 bytes JMP 0000000077b20480 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779c1b30 5 bytes JMP 0000000077b203a0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779c1c10 5 bytes JMP 0000000077b202f0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779c1c20 5 bytes JMP 0000000077b20350 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779c1c80 5 bytes JMP 0000000077b20290 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779c1d10 5 bytes JMP 0000000077b202b0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 5 bytes JMP 0000000077b203d0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779c1d40 5 bytes JMP 0000000077b20330 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779c1db0 5 bytes JMP 0000000077b20410 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779c1de0 5 bytes JMP 0000000077b20240 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779c20a0 5 bytes JMP 0000000077b201e0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779c2160 5 bytes JMP 0000000077b20250 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779c2190 5 bytes JMP 0000000077b20490 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779c21a0 5 bytes JMP 0000000077b204a0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779c21d0 5 bytes JMP 0000000077b20300 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779c21e0 5 bytes JMP 0000000077b20360 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779c2240 5 bytes JMP 0000000077b202a0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779c2290 5 bytes JMP 0000000077b202c0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779c22c0 5 bytes JMP 0000000077b20380 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779c22d0 5 bytes JMP 0000000077b20340 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 5 bytes JMP 0000000077b20440 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779c27c0 5 bytes JMP 0000000077b20260 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779c27d0 5 bytes JMP 0000000077b20270 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 5 bytes JMP 0000000077b20400 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 5 bytes JMP 0000000077b201f0 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779c29b0 5 bytes JMP 0000000077b20210 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779c2a20 5 bytes JMP 0000000077b20200 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779c2a80 5 bytes JMP 0000000077b20420 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779c2a90 5 bytes JMP 0000000077b20430 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779c2aa0 5 bytes JMP 0000000077b20220 .text C:\Windows\system32\svchost.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779c2b80 5 bytes JMP 0000000077b20280 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779c1360 5 bytes JMP 0000000077b20460 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779c13b0 5 bytes JMP 0000000077b20450 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779c1510 5 bytes JMP 0000000077b20370 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779c1560 5 bytes JMP 0000000077b20470 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779c1570 5 bytes JMP 0000000077b203e0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779c1620 5 bytes JMP 0000000077b20320 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 5 bytes JMP 0000000077b203b0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779c1670 5 bytes JMP 0000000077b20390 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779c16b0 5 bytes JMP 0000000077b202e0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779c1730 5 bytes JMP 0000000077b202d0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 5 bytes JMP 0000000077b20310 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 5 bytes JMP 0000000077b203c0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779c17e0 5 bytes JMP 0000000077b203f0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779c1940 5 bytes JMP 0000000077b20230 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c1b00 5 bytes JMP 0000000077b20480 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779c1b30 5 bytes JMP 0000000077b203a0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779c1c10 5 bytes JMP 0000000077b202f0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779c1c20 5 bytes JMP 0000000077b20350 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779c1c80 5 bytes JMP 0000000077b20290 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779c1d10 5 bytes JMP 0000000077b202b0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 5 bytes JMP 0000000077b203d0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779c1d40 5 bytes JMP 0000000077b20330 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779c1db0 5 bytes JMP 0000000077b20410 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779c1de0 5 bytes JMP 0000000077b20240 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779c20a0 5 bytes JMP 0000000077b201e0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779c2160 5 bytes JMP 0000000077b20250 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779c2190 5 bytes JMP 0000000077b20490 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779c21a0 5 bytes JMP 0000000077b204a0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779c21d0 5 bytes JMP 0000000077b20300 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779c21e0 5 bytes JMP 0000000077b20360 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779c2240 5 bytes JMP 0000000077b202a0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779c2290 5 bytes JMP 0000000077b202c0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779c22c0 5 bytes JMP 0000000077b20380 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779c22d0 5 bytes JMP 0000000077b20340 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 5 bytes JMP 0000000077b20440 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779c27c0 5 bytes JMP 0000000077b20260 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779c27d0 5 bytes JMP 0000000077b20270 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 5 bytes JMP 0000000077b20400 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 5 bytes JMP 0000000077b201f0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779c29b0 5 bytes JMP 0000000077b20210 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779c2a20 5 bytes JMP 0000000077b20200 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779c2a80 5 bytes JMP 0000000077b20420 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779c2a90 5 bytes JMP 0000000077b20430 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779c2aa0 5 bytes JMP 0000000077b20220 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779c2b80 5 bytes JMP 0000000077b20280 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1944] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Windows\SysWOW64\lkads.exe[1512] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779c1360 5 bytes JMP 0000000077b20460 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779c13b0 5 bytes JMP 0000000077b20450 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779c1510 5 bytes JMP 0000000077b20370 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779c1560 5 bytes JMP 0000000077b20470 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779c1570 5 bytes JMP 0000000077b203e0 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779c1620 5 bytes JMP 0000000077b20320 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 5 bytes JMP 0000000077b203b0 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779c1670 5 bytes JMP 0000000077b20390 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779c16b0 5 bytes JMP 0000000077b202e0 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779c1730 5 bytes JMP 0000000077b202d0 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 5 bytes JMP 0000000077b20310 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 5 bytes JMP 0000000077b203c0 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779c17e0 5 bytes JMP 0000000077b203f0 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779c1940 5 bytes JMP 0000000077b20230 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c1b00 5 bytes JMP 0000000077b20480 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779c1b30 5 bytes JMP 0000000077b203a0 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779c1c10 5 bytes JMP 0000000077b202f0 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779c1c20 5 bytes JMP 0000000077b20350 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779c1c80 5 bytes JMP 0000000077b20290 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779c1d10 5 bytes JMP 0000000077b202b0 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 5 bytes JMP 0000000077b203d0 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779c1d40 5 bytes JMP 0000000077b20330 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779c1db0 5 bytes JMP 0000000077b20410 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779c1de0 5 bytes JMP 0000000077b20240 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779c20a0 5 bytes JMP 0000000077b201e0 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779c2160 5 bytes JMP 0000000077b20250 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779c2190 5 bytes JMP 0000000077b20490 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779c21a0 5 bytes JMP 0000000077b204a0 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779c21d0 5 bytes JMP 0000000077b20300 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779c21e0 5 bytes JMP 0000000077b20360 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779c2240 5 bytes JMP 0000000077b202a0 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779c2290 5 bytes JMP 0000000077b202c0 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779c22c0 5 bytes JMP 0000000077b20380 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779c22d0 5 bytes JMP 0000000077b20340 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 5 bytes JMP 0000000077b20440 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779c27c0 5 bytes JMP 0000000077b20260 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779c27d0 5 bytes JMP 0000000077b20270 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 5 bytes JMP 0000000077b20400 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 5 bytes JMP 0000000077b201f0 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779c29b0 5 bytes JMP 0000000077b20210 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779c2a20 5 bytes JMP 0000000077b20200 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779c2a80 5 bytes JMP 0000000077b20420 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779c2a90 5 bytes JMP 0000000077b20430 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779c2aa0 5 bytes JMP 0000000077b20220 .text C:\Windows\Explorer.EXE[2176] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779c2b80 5 bytes JMP 0000000077b20280 .text C:\Windows\Explorer.EXE[2176] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779c1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779c13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779c1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779c1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779c1570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779c1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779c1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779c16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779c1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779c17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779c1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779c1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779c1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779c1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779c1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779c1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779c1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779c1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779c1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779c20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779c2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779c2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779c21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779c21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779c21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779c2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779c2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779c22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779c22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779c27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779c27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779c29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779c2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779c2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779c2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779c2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\taskeng.exe[2232] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779c2b80 5 bytes JMP 0000000100070280 .text C:\Program Files (x86)\National Instruments\Shared\Security\nidmsrv.exe[2348] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2792] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2816] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075951465 2 bytes [95, 75] .text C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe[2816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759514bb 2 bytes [95, 75] .text ... * 2 .text C:\Windows\SysWOW64\DllHost.exe[2868] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Windows\SysWOW64\lkcitdl.exe[2952] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Windows\SysWOW64\lkcitdl.exe[2952] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000074d01a22 2 bytes [D0, 74] .text C:\Windows\SysWOW64\lkcitdl.exe[2952] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000074d01ad0 2 bytes [D0, 74] .text C:\Windows\SysWOW64\lkcitdl.exe[2952] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000074d01b08 2 bytes [D0, 74] .text C:\Windows\SysWOW64\lkcitdl.exe[2952] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000074d01bba 2 bytes [D0, 74] .text C:\Windows\SysWOW64\lkcitdl.exe[2952] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000074d01bda 2 bytes [D0, 74] .text C:\Windows\SysWOW64\lktsrv.exe[3044] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Program Files (x86)\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe[2476] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Windows\SysWOW64\DllHost.exe[2224] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Program Files (x86)\National Instruments\Shared\NI WebServer\SystemWebServer.exe[3156] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Program Files (x86)\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe[3540] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3896] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4188] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4196] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779c1360 5 bytes JMP 0000000077b20460 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779c13b0 5 bytes JMP 0000000077b20450 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779c1510 5 bytes JMP 0000000077b20370 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779c1560 5 bytes JMP 0000000077b20470 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779c1570 5 bytes JMP 0000000077b203e0 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779c1620 5 bytes JMP 0000000077b20320 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 5 bytes JMP 0000000077b203b0 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779c1670 5 bytes JMP 0000000077b20390 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779c16b0 5 bytes JMP 0000000077b202e0 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779c1730 5 bytes JMP 0000000077b202d0 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 5 bytes JMP 0000000077b20310 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 5 bytes JMP 0000000077b203c0 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779c17e0 5 bytes JMP 0000000077b203f0 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779c1940 5 bytes JMP 0000000077b20230 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c1b00 5 bytes JMP 0000000077b20480 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779c1b30 5 bytes JMP 0000000077b203a0 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779c1c10 5 bytes JMP 0000000077b202f0 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779c1c20 5 bytes JMP 0000000077b20350 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779c1c80 5 bytes JMP 0000000077b20290 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779c1d10 5 bytes JMP 0000000077b202b0 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 5 bytes JMP 0000000077b203d0 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779c1d40 5 bytes JMP 0000000077b20330 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779c1db0 5 bytes JMP 0000000077b20410 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779c1de0 5 bytes JMP 0000000077b20240 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779c20a0 5 bytes JMP 0000000077b201e0 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779c2160 5 bytes JMP 0000000077b20250 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779c2190 5 bytes JMP 0000000077b20490 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779c21a0 5 bytes JMP 0000000077b204a0 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779c21d0 5 bytes JMP 0000000077b20300 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779c21e0 5 bytes JMP 0000000077b20360 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779c2240 5 bytes JMP 0000000077b202a0 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779c2290 5 bytes JMP 0000000077b202c0 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779c22c0 5 bytes JMP 0000000077b20380 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779c22d0 5 bytes JMP 0000000077b20340 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 5 bytes JMP 0000000077b20440 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779c27c0 5 bytes JMP 0000000077b20260 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779c27d0 5 bytes JMP 0000000077b20270 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 5 bytes JMP 0000000077b20400 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 5 bytes JMP 0000000077b201f0 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779c29b0 5 bytes JMP 0000000077b20210 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779c2a20 5 bytes JMP 0000000077b20200 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779c2a80 5 bytes JMP 0000000077b20420 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779c2a90 5 bytes JMP 0000000077b20430 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779c2aa0 5 bytes JMP 0000000077b20220 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779c2b80 5 bytes JMP 0000000077b20280 .text C:\Windows\system32\SearchIndexer.exe[4580] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[5052] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779c1360 5 bytes JMP 0000000077b20460 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779c13b0 5 bytes JMP 0000000077b20450 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779c1510 5 bytes JMP 0000000077b20370 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779c1560 5 bytes JMP 0000000077b20470 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779c1570 5 bytes JMP 0000000077b203e0 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779c1620 5 bytes JMP 0000000077b20320 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 5 bytes JMP 0000000077b203b0 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779c1670 5 bytes JMP 0000000077b20390 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779c16b0 5 bytes JMP 0000000077b202e0 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779c1730 5 bytes JMP 0000000077b202d0 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 5 bytes JMP 0000000077b20310 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 5 bytes JMP 0000000077b203c0 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779c17e0 5 bytes JMP 0000000077b203f0 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779c1940 5 bytes JMP 0000000077b20230 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c1b00 5 bytes JMP 0000000077b20480 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779c1b30 5 bytes JMP 0000000077b203a0 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779c1c10 5 bytes JMP 0000000077b202f0 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779c1c20 5 bytes JMP 0000000077b20350 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779c1c80 5 bytes JMP 0000000077b20290 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779c1d10 5 bytes JMP 0000000077b202b0 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 5 bytes JMP 0000000077b203d0 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779c1d40 5 bytes JMP 0000000077b20330 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779c1db0 5 bytes JMP 0000000077b20410 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779c1de0 5 bytes JMP 0000000077b20240 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779c20a0 5 bytes JMP 0000000077b201e0 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779c2160 5 bytes JMP 0000000077b20250 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779c2190 5 bytes JMP 0000000077b20490 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779c21a0 5 bytes JMP 0000000077b204a0 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779c21d0 5 bytes JMP 0000000077b20300 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779c21e0 5 bytes JMP 0000000077b20360 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779c2240 5 bytes JMP 0000000077b202a0 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779c2290 5 bytes JMP 0000000077b202c0 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779c22c0 5 bytes JMP 0000000077b20380 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779c22d0 5 bytes JMP 0000000077b20340 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 5 bytes JMP 0000000077b20440 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779c27c0 5 bytes JMP 0000000077b20260 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779c27d0 5 bytes JMP 0000000077b20270 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 5 bytes JMP 0000000077b20400 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 5 bytes JMP 0000000077b201f0 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779c29b0 5 bytes JMP 0000000077b20210 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779c2a20 5 bytes JMP 0000000077b20200 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779c2a80 5 bytes JMP 0000000077b20420 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779c2a90 5 bytes JMP 0000000077b20430 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779c2aa0 5 bytes JMP 0000000077b20220 .text C:\Windows\system32\svchost.exe[5132] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779c2b80 5 bytes JMP 0000000077b20280 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5864] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3308] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779c1360 5 bytes JMP 0000000077b20460 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779c13b0 5 bytes JMP 0000000077b20450 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779c1510 5 bytes JMP 0000000077b20370 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779c1560 5 bytes JMP 0000000077b20470 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779c1570 5 bytes JMP 0000000077b203e0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779c1620 5 bytes JMP 0000000077b20320 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 5 bytes JMP 0000000077b203b0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779c1670 5 bytes JMP 0000000077b20390 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779c16b0 5 bytes JMP 0000000077b202e0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779c1730 5 bytes JMP 0000000077b202d0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 5 bytes JMP 0000000077b20310 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 5 bytes JMP 0000000077b203c0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779c17e0 5 bytes JMP 0000000077b203f0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779c1940 5 bytes JMP 0000000077b20230 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c1b00 5 bytes JMP 0000000077b20480 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779c1b30 5 bytes JMP 0000000077b203a0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779c1c10 5 bytes JMP 0000000077b202f0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779c1c20 5 bytes JMP 0000000077b20350 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779c1c80 5 bytes JMP 0000000077b20290 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779c1d10 5 bytes JMP 0000000077b202b0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 5 bytes JMP 0000000077b203d0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779c1d40 5 bytes JMP 0000000077b20330 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779c1db0 5 bytes JMP 0000000077b20410 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779c1de0 5 bytes JMP 0000000077b20240 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779c20a0 5 bytes JMP 0000000077b201e0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779c2160 5 bytes JMP 0000000077b20250 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779c2190 5 bytes JMP 0000000077b20490 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779c21a0 5 bytes JMP 0000000077b204a0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779c21d0 5 bytes JMP 0000000077b20300 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779c21e0 5 bytes JMP 0000000077b20360 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779c2240 5 bytes JMP 0000000077b202a0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779c2290 5 bytes JMP 0000000077b202c0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779c22c0 5 bytes JMP 0000000077b20380 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779c22d0 5 bytes JMP 0000000077b20340 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 5 bytes JMP 0000000077b20440 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779c27c0 5 bytes JMP 0000000077b20260 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779c27d0 5 bytes JMP 0000000077b20270 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 5 bytes JMP 0000000077b20400 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 5 bytes JMP 0000000077b201f0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779c29b0 5 bytes JMP 0000000077b20210 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779c2a20 5 bytes JMP 0000000077b20200 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779c2a80 5 bytes JMP 0000000077b20420 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779c2a90 5 bytes JMP 0000000077b20430 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779c2aa0 5 bytes JMP 0000000077b20220 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779c2b80 5 bytes JMP 0000000077b20280 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[1988] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files (x86)\Last.fm\Last.fm Scrobbler.exe[1980] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Program Files (x86)\Last.fm\Last.fm Scrobbler.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075951465 2 bytes [95, 75] .text C:\Program Files (x86)\Last.fm\Last.fm Scrobbler.exe[1980] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759514bb 2 bytes [95, 75] .text ... * 2 .text C:\Program Files\Sony\VAIO Care\listener.exe[6648] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779c1360 5 bytes JMP 0000000100070460 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779c13b0 5 bytes JMP 0000000100070450 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779c1510 5 bytes JMP 0000000100070370 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779c1560 5 bytes JMP 0000000100070470 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779c1570 5 bytes JMP 00000001000703e0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779c1620 5 bytes JMP 0000000100070320 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 5 bytes JMP 00000001000703b0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779c1670 5 bytes JMP 0000000100070390 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779c16b0 5 bytes JMP 00000001000702e0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779c1730 5 bytes JMP 00000001000702d0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 5 bytes JMP 0000000100070310 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 5 bytes JMP 00000001000703c0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779c17e0 5 bytes JMP 00000001000703f0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779c1940 5 bytes JMP 0000000100070230 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c1b00 5 bytes JMP 0000000100070480 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779c1b30 5 bytes JMP 00000001000703a0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779c1c10 5 bytes JMP 00000001000702f0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779c1c20 5 bytes JMP 0000000100070350 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779c1c80 5 bytes JMP 0000000100070290 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779c1d10 5 bytes JMP 00000001000702b0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 5 bytes JMP 00000001000703d0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779c1d40 5 bytes JMP 0000000100070330 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779c1db0 5 bytes JMP 0000000100070410 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779c1de0 5 bytes JMP 0000000100070240 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779c20a0 5 bytes JMP 00000001000701e0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779c2160 5 bytes JMP 0000000100070250 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779c2190 5 bytes JMP 0000000100070490 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779c21a0 5 bytes JMP 00000001000704a0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779c21d0 5 bytes JMP 0000000100070300 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779c21e0 5 bytes JMP 0000000100070360 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779c2240 5 bytes JMP 00000001000702a0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779c2290 5 bytes JMP 00000001000702c0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779c22c0 5 bytes JMP 0000000100070380 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779c22d0 5 bytes JMP 0000000100070340 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 5 bytes JMP 0000000100070440 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779c27c0 5 bytes JMP 0000000100070260 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779c27d0 5 bytes JMP 0000000100070270 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 5 bytes JMP 0000000100070400 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 5 bytes JMP 00000001000701f0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779c29b0 5 bytes JMP 0000000100070210 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779c2a20 5 bytes JMP 0000000100070200 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779c2a80 5 bytes JMP 0000000100070420 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779c2a90 5 bytes JMP 0000000100070430 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779c2aa0 5 bytes JMP 0000000100070220 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779c2b80 5 bytes JMP 0000000100070280 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[6624] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files\Sony\VAIO Care\VCAgent.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000779c1380 10 bytes {MOV EAX, 0x334ca; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Sony\VAIO Care\VCAgent.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000779c1550 10 bytes {MOV EAX, 0x334f6; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Sony\VAIO Care\VCAgent.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 10 bytes {MOV EAX, 0x3331f; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Sony\VAIO Care\VCAgent.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779c1700 10 bytes {MOV EAX, 0x33406; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Sony\VAIO Care\VCAgent.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 10 bytes {MOV EAX, 0x33522; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Sony\VAIO Care\VCAgent.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 10 bytes {MOV EAX, 0x3336b; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Sony\VAIO Care\VCAgent.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 10 bytes {MOV EAX, 0x333b7; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Sony\VAIO Care\VCAgent.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000779c2130 10 bytes {MOV EAX, 0x3356e; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Sony\VAIO Care\VCAgent.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 10 bytes {MOV EAX, 0x33452; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Sony\VAIO Care\VCAgent.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 10 bytes {MOV EAX, 0x3349e; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Sony\VAIO Care\VCAgent.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 10 bytes {MOV EAX, 0x335c6; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Sony\VAIO Care\VCAgent.exe[4280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000779c29c0 10 bytes {MOV EAX, 0x3359a; MOVSXD RAX, EAX; JMP RAX} .text C:\Program Files\Sony\VAIO Care\VCAgent.exe[4280] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 1 0000000077b6fc81 3 bytes [9C, 3A, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077b6fc85 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 1 0000000077b6fe15 3 bytes [45, 39, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 5 0000000077b6fe19 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 1 0000000077b6ff25 3 bytes [D8, 39, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 5 0000000077b6ff29 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 1 0000000077b6ffa5 3 bytes [CD, 3A, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 5 0000000077b6ffa9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 1 0000000077b70005 3 bytes [76, 39, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 5 0000000077b70009 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077b70038 5 bytes JMP 00000001698f1986 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 1 0000000077b708a5 3 bytes [A7, 39, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 5 0000000077b708a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077b70ed9 3 bytes [FE, 3A, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077b70edd 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 1 0000000077b715d5 3 bytes [09, 3A, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 5 0000000077b715d9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 1 0000000077b71921 3 bytes [3A, 3A, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 5 0000000077b71925 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 1 0000000077b71be5 3 bytes [60, 3B, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 5 0000000077b71be9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077b71c15 3 bytes [2F, 3B, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077b71c19 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[5428] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 1 0000000077b6fc81 3 bytes [9C, 3A, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077b6fc85 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 1 0000000077b6fe15 3 bytes [45, 39, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 5 0000000077b6fe19 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 1 0000000077b6ff25 3 bytes [D8, 39, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 5 0000000077b6ff29 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 1 0000000077b6ffa5 3 bytes [CD, 3A, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 5 0000000077b6ffa9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 1 0000000077b70005 3 bytes [76, 39, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 5 0000000077b70009 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077b70038 5 bytes JMP 00000001698f1986 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 1 0000000077b708a5 3 bytes [A7, 39, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 5 0000000077b708a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077b70ed9 3 bytes [FE, 3A, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077b70edd 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 1 0000000077b715d5 3 bytes [09, 3A, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 5 0000000077b715d9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 1 0000000077b71921 3 bytes [3A, 3A, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 5 0000000077b71925 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 1 0000000077b71be5 3 bytes [60, 3B, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 5 0000000077b71be9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077b71c15 3 bytes [2F, 3B, 19] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077b71c19 2 bytes {JMP RAX} .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[6236] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 1 0000000077b6fc81 3 bytes [9C, 3A, 05] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077b6fc85 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 1 0000000077b6fe15 3 bytes [45, 39, 05] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 5 0000000077b6fe19 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 1 0000000077b6ff25 3 bytes [D8, 39, 05] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 5 0000000077b6ff29 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 1 0000000077b6ffa5 3 bytes [CD, 3A, 05] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 5 0000000077b6ffa9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 1 0000000077b70005 3 bytes [76, 39, 05] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 5 0000000077b70009 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 1 0000000077b708a5 3 bytes [A7, 39, 05] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 5 0000000077b708a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077b70ed9 3 bytes [FE, 3A, 05] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077b70edd 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 1 0000000077b715d5 3 bytes [09, 3A, 05] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 5 0000000077b715d9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 1 0000000077b71921 3 bytes [3A, 3A, 05] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 5 0000000077b71925 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 1 0000000077b71be5 3 bytes [60, 3B, 05] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 5 0000000077b71be9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077b71c15 3 bytes [2F, 3B, 05] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077b71c19 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000756972a5 3 bytes [F3, 3B, 05] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000756972a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075698be0 3 bytes [24, 3C, 05] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075698be4 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 00000000756a1286 3 bytes [C2, 3B, 05] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 00000000756a128a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\syswow64\USER32.dll!SendInput + 1 00000000756bff4b 3 bytes [55, 3C, 05] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4232] C:\Windows\syswow64\USER32.dll!SendInput + 5 00000000756bff4f 2 bytes {JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000779c1380 10 bytes {MOV EAX, 0x334ca; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4828] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000779c1550 10 bytes {MOV EAX, 0x334f6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 10 bytes {MOV EAX, 0x3331f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779c1700 10 bytes {MOV EAX, 0x33406; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 10 bytes {MOV EAX, 0x33522; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 10 bytes {MOV EAX, 0x3336b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 10 bytes {MOV EAX, 0x333b7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4828] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000779c2130 10 bytes {MOV EAX, 0x3356e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 10 bytes {MOV EAX, 0x33452; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 10 bytes {MOV EAX, 0x3349e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 10 bytes {MOV EAX, 0x335c6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000779c29c0 10 bytes {MOV EAX, 0x3359a; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[4828] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779c1360 5 bytes JMP 0000000100090460 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000779c1380 10 bytes {MOV EAX, 0x334ca; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000779c13b0 5 bytes JMP 0000000100090450 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779c1510 5 bytes JMP 0000000100090370 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000779c1550 10 bytes {MOV EAX, 0x334f6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779c1560 5 bytes JMP 0000000100090470 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779c1570 5 bytes JMP 00000001000903e0 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000779c1620 5 bytes JMP 0000000100090320 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779c1650 10 bytes JMP 00000001000903b0 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779c1670 5 bytes JMP 0000000100090390 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000779c16b0 5 bytes JMP 00000001000902e0 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000779c1700 10 bytes {MOV EAX, 0x33406; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000779c1730 5 bytes JMP 00000001000902d0 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779c1750 10 bytes JMP 0000000100090310 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779c1790 10 bytes JMP 00000001000903c0 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000779c17e0 5 bytes JMP 00000001000903f0 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779c1940 5 bytes JMP 0000000100090230 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000779c1b00 5 bytes JMP 0000000100090480 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000779c1b30 5 bytes JMP 00000001000903a0 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000779c1c10 5 bytes JMP 00000001000902f0 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000779c1c20 5 bytes JMP 0000000100090350 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000779c1c80 5 bytes JMP 0000000100090290 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000779c1d10 5 bytes JMP 00000001000902b0 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000779c1d30 10 bytes JMP 00000001000903d0 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000779c1d40 5 bytes JMP 0000000100090330 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000779c1db0 5 bytes JMP 0000000100090410 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000779c1de0 5 bytes JMP 0000000100090240 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000779c20a0 5 bytes JMP 00000001000901e0 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000779c2130 10 bytes {MOV EAX, 0x3356e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779c2160 5 bytes JMP 0000000100090250 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779c2190 5 bytes JMP 0000000100090490 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000779c21a0 5 bytes JMP 00000001000904a0 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000779c21d0 5 bytes JMP 0000000100090300 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000779c21e0 5 bytes JMP 0000000100090360 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779c2240 5 bytes JMP 00000001000902a0 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779c2290 5 bytes JMP 00000001000902c0 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779c22c0 5 bytes JMP 0000000100090380 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000779c22d0 5 bytes JMP 0000000100090340 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000779c25c0 10 bytes JMP 0000000100090440 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000779c27c0 5 bytes JMP 0000000100090260 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000779c27d0 5 bytes JMP 0000000100090270 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000779c27e0 10 bytes JMP 0000000100090400 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000779c29a0 10 bytes JMP 00000001000901f0 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000779c29b0 5 bytes JMP 0000000100090210 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000779c29c0 10 bytes {MOV EAX, 0x3359a; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000779c2a20 5 bytes JMP 0000000100090200 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000779c2a80 5 bytes JMP 0000000100090420 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000779c2a90 5 bytes JMP 0000000100090430 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000779c2aa0 5 bytes JMP 0000000100090220 .text C:\Windows\system32\taskeng.exe[6904] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000779c2b80 5 bytes JMP 0000000100090280 .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 1 0000000077b6fc81 3 bytes [9C, 3A, 19] .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077b6fc85 2 bytes {JMP RAX} .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 1 0000000077b6fe15 3 bytes [45, 39, 19] .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory + 5 0000000077b6fe19 2 bytes {JMP RAX} .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 1 0000000077b6ff25 3 bytes [D8, 39, 19] .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread + 5 0000000077b6ff29 2 bytes {JMP RAX} .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 1 0000000077b6ffa5 3 bytes [CD, 3A, 19] .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 5 0000000077b6ffa9 2 bytes {JMP RAX} .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 1 0000000077b70005 3 bytes [76, 39, 19] .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 5 0000000077b70009 2 bytes {JMP RAX} .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 1 0000000077b708a5 3 bytes [A7, 39, 19] .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 5 0000000077b708a9 2 bytes {JMP RAX} .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077b70ed9 3 bytes [FE, 3A, 19] .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077b70edd 2 bytes {JMP RAX} .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 1 0000000077b715d5 3 bytes [09, 3A, 19] .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx + 5 0000000077b715d9 2 bytes {JMP RAX} .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 1 0000000077b71921 3 bytes [3A, 3A, 19] .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread + 5 0000000077b71925 2 bytes {JMP RAX} .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 1 0000000077b71be5 3 bytes [60, 3B, 19] .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 5 0000000077b71be9 2 bytes {JMP RAX} .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077b71c15 3 bytes [2F, 3B, 19] .text G:\gmer.exe[7280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077b71c19 2 bytes {JMP RAX} .text G:\gmer.exe[7280] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075d1a2ba 1 byte [62] .text G:\gmer.exe[7280] C:\Windows\syswow64\USER32.dll!GetPropW + 126 00000000756972a5 3 bytes [F3, 3B, 19] .text G:\gmer.exe[7280] C:\Windows\syswow64\USER32.dll!GetPropW + 130 00000000756972a9 2 bytes {JMP RAX} .text G:\gmer.exe[7280] C:\Windows\syswow64\USER32.dll!RegisterClassW + 379 0000000075698be0 3 bytes [24, 3C, 19] .text G:\gmer.exe[7280] C:\Windows\syswow64\USER32.dll!RegisterClassW + 383 0000000075698be4 2 bytes {JMP RAX} .text G:\gmer.exe[7280] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 64 00000000756a1286 3 bytes [C2, 3B, 19] .text G:\gmer.exe[7280] C:\Windows\syswow64\USER32.dll!TranslateAcceleratorW + 68 00000000756a128a 2 bytes {JMP RAX} .text G:\gmer.exe[7280] C:\Windows\syswow64\USER32.dll!SendInput + 1 00000000756bff4b 3 bytes [55, 3C, 19] .text G:\gmer.exe[7280] C:\Windows\syswow64\USER32.dll!SendInput + 5 00000000756bff4f 2 bytes {JMP RAX} ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_onexit] [ec834808244c8948] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_lock] [4d2c8058b4848] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!__dllonexit] [d03d833824448948] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_unlock] [c0330775000004f2] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!?terminate@@YAXXZ] [7c83480000012fe9] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [3d83482675003824] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_amsg_exit] [e81c74000004d2b3] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_initterm] [774c085000021a4] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_XcptFilter] [480000010de9c033] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memset] [38247c8348382444] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!malloc] [48000000f3840f00] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!wcsstr] [e7840f0050247c83] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_ui64tow] [50244c8b48000000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!vswprintf_s] [448948fffac04be8] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_vscwprintf] [483824448b483024] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_wcsicmp] [c9840f003883] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!wcstok_s] [8b483824448b4800] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!iswspace] [3b48fffac02ae808] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memcmp] [9e860f302444] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memcpy] [8b483824448b4800] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!wcstol] [be0f30244c8b4800] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!wcscspn] [84850f3df8830804] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!calloc] [3024448b4c000000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!free] [448b485024548b48] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memmove_s] [20dee8088b483824] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!memcpy_s] [8b486975c0850000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_wsplitpath_s] [8b48008b48382444] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_vsnwprintf] [108448d4830244c] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!sqrtf] [c88b4800007fffba] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!logf] [ff3d4800001c9be8] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!__CxxFrameHandler3] [58d482e7200007f] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!_CxxThrowException] [244489480003d30c] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[msvcrt.dll!ceilf] [9fb841c9334520] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetModuleHandleW] [9de800000002b900] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateToolhelp32Snapshot] [37501f883fffb05] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetCurrentThreadId] [3824448b48c033cc] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!Sleep] [30244c8b48008b48] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CompareStringOrdinal] [4815eb0108448d48] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetVersion] [8c083483824448b] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LocalFree] [ff28e93824448948] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetLastError] [48c48348c033ffff] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DeactivateActCtx] [ccccccccccccccc3] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetLastError] [44894c20244c894c] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LoadLibraryW] [4810245489481824] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetProcAddress] [38ec834808244c89] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ActivateActCtx] [c5dee800000007b9] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FindActCtxSectionStringW] [58244c8b4c90fffb] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateActCtxW] [548b485024448b4c] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetModuleFileNameW] [e840244c8b484824] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetModuleHandleExW] [2024448900000024] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!QueryActCtxW] [c616e800000007b9] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!OutputDebugStringA] [83482024448bfffb] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CloseHandle] [cccccccccccccccc] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!WaitForSingleObject] [a740060247c8348] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateEventW] [1402444c7] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetEvent] [402444c708eb] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DeleteFileW] [44894024448b0000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CompareFileTime] [750038247c833824] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!lstrlenW] [3d390058d482e] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetFileAttributesW] [c933452024448948] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateFileW] [8d48000000e0b841] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalFree] [2b90003d15315] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateThread] [83fffb0499e80000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LocalAlloc] [83c033cc037501f8] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!lstrcmpW] [c5e83e750038247c] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!lstrcmpiW] [1600c7fffb82] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FreeLibrary] [202444c74800] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SizeofResource] [e0b9410000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LockResource] [480003d119058d4c] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LoadResource] [8d480003d312158d] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FindResourceW] [e4a6e80003d3330d] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FindResourceExW] [e900000016b8fffb] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetFileAttributesW] [24448b4800000165] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetSystemTime] [c74860] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SystemTimeToTzSpecificLocalTime] [8740068247c8348] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!WaitForMultipleObjects] [1a770070247c8348] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FileTimeToSystemTime] [8750068247c8348] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalAlloc] [a740070247c8348] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalReAlloc] [442444c7] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SystemTimeToFileTime] [1442444c708eb] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetTickCount] [44894424448b0000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!Process32FirstW] [75003c247c833c24] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ReadFile] [3d208058d482e] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!WriteFile] [c933452024448948] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetFilePointerEx] [8d48000000e2b841] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FlushFileBuffers] [2b90003d09315] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetFileInformationByHandle] [83fffb03d9e80000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalSize] [83c033cc037501f8] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalLock] [5e83e75003c247c] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GlobalUnlock] [1600c7fffb82] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetCurrentProcessId] [202444c74800] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FileTimeToLocalFileTime] [e2b9410000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetDateFormatW] [480003d059058d4c] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetTimeFormatW] [8d480003d252158d] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!FormatMessageW] [e3e6e80003d1ab0d] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ReleaseActCtx] [e900000016b8fffb] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ExpandEnvironmentStringsW] [247c8348000000a5] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DosDateTimeToFileTime] [24448b4808740068] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!EnumUILanguagesW] [244c8b480000c668] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetUserDefaultUILanguage] [8948fffffcb2e878] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetLocaleInfoW] [30247c8348302444] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetDriveTypeW] [487aebc033047500] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetProcessHeap] [244c8b48c0ff48ff] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!HeapFree] [247c834801894860] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DisableThreadLibraryCalls] [59ebc03304750070] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetSystemDirectoryW] [4c8b486024448b48] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetNumberFormatW] [b807760839487024] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!MulDiv] [8b4c43eb00000022] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetTempPathW] [7024548b48302444] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!CreateDirectoryW] [dd06e868244c8b48] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!TzSpecificLocalTimeToSystemTime] [282444c748fffa] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!QueryPerformanceCounter] [fe202444c7000000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!QueryPerformanceFrequency] [cfae0d8d4c000000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!ResetEvent] [3d1a7058d4c0003] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!LoadLibraryExA] [3d0b0158d4800] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!DelayLoadFailureHook] [33fffae4f9e8c88b] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!HeapDestroy] [ccccc358c48348c0] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!RaiseException] [282444c738ec83] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetVersionExA] [202444c748000000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [1b94100000000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!TerminateProcess] [485024448b4c0000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetCurrentProcess] [244c8b484824548b] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!UnhandledExceptionFilter] [834800000012e840] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [ccccccccccc338c4] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!RtlVirtualUnwind] [cccccccccccccccc] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!RtlLookupFunctionEntry] [44894c20244c8944] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!RtlCaptureContext] [4810245489481824] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!Process32NextW] [48ec834808244c89] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!OpenProcess] [c30ee800000007b9] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[KERNEL32.dll!GetProcessTimes] [897824448b90fffb] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptAcquireContextW] [4c8b442024448948] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptImportKey] [486024448b4c6824] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptCreateHash] [244c8b485824548b] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptHashData] [448900000022e850] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptSignHashW] [e800000007b93024] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptDestroyHash] [3024448bfffbc334] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptDestroyKey] [ccccccc348c48348] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!CryptReleaseContext] [cccccccccccccccc] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!RegCloseKey] [4810245489481824] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!RegOpenKeyExW] [58ec834808244c89] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!RegQueryValueExW] [a740060247c8348] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[ADVAPI32.dll!RegEnumKeyW] [1482444c7] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!GetDeviceCaps] [83fffb01b9e80000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!DeleteDC] [83c033cc037501f8] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!GetTextExtentPoint32W] [e5e83e750040247c] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!GetStockObject] [1600c7fffb7f] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!GetTextExtentPointW] [202444c74800] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!CreateDIBSection] [158b9410000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!DeleteObject] [480003ce39058d4c] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[GDI32.dll!CreateCompatibleDC] [8d480003d0ea158d] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrRetToBufW] [24448b4800000195] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!SHGetThreadRef] [c74860] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!SHRegGetValueW] [c7486824448b48] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrStrIW] [4c2444c70a740070] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathCombineW] [3cdb7158d480000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrCmpIW] [44247c83c033cc] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrStrW] [c7fffb7f29e83e75] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrCSpnW] [44c7480000001600] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathFindFileNameW] [b941000000002024] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrFormatByteSizeW] [7d058d4c0000015e] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrCmpW] [d02e158d480003cd] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!SHGetValueW] [3d0070d8d480003] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!StrCmpLogicalW] [d9e9000000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathRemoveBlanksW] [f9e6e870244c8b48] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!AssocQueryKeyW] [483824448948ffff] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathRemoveExtensionW] [3307750038247c83] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!SHStrDupW] [8b48000000bbe9c0] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathStripPathW] [fffaba88e838244c] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathAddBackslashW] [3024448948c0ff48] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathAppendW] [890000008824848b] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!AssocCreate] [80248c8b4c202444] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathFindExtensionW] [7824448b44000000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[SHLWAPI.dll!PathRemoveFileSpecW] [4801894860244c8b] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!UnregisterClassA] [7e76e80000000c00] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!DialogBoxParamW] [8b4c5beb008bfffb] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!InsertMenuW] [3024548b48382444] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CharNextW] [88b486024448b48] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!RemoveMenu] [44c748fffada0be8] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetSubMenu] [44c7000000002824] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!TrackPopupMenu] [8d4c000001722024] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetFocus] [58d4c0003ccb30d] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetForegroundWindow] [fd158d480003cf64] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetForegroundWindow] [e1fee8c88b0003ce] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetShellWindow] [68247c8348fffa] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadMenuW] [486824448b480d74] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!DestroyMenu] [3308894830244c8b] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadStringW] [ccccc358c48348c0] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SendMessageW] [244c891024548948] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetClassNameW] [7c834868ec834808] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetMenuDefaultItem] [58d482e75007824] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadIconW] [2444894800033454] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowTextW] [64b841c9334520] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetDlgItemTextW] [333cf158d480000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!EndDialog] [95e800000002b900] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetDlgItem] [37501f883fffaff] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowLongPtrW] [7824448b48c033cc] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowLongPtrW] [4c8b483824448948] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!IsDlgButtonChecked] [89fffe05a9e83824] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!UnhookWindowsHookEx] [3824448b48442444] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SendDlgItemMessageW] [822518408b] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CheckDlgButton] [fb7d9fe82a75c085] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!EnableWindow] [480000000900c7ff] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!ShowWindow] [8318408b3824448b] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowLongW] [8938244c8b4820c8] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowLongW] [e90000ffffb81841] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetClientRect] [8b4837eb000002eb] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetSystemMetrics] [e08318408b382444] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadImageW] [7d66e82874c08540] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetParent] [2200c7fffb] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!IsChild] [18408b3824448b48] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CallNextHookEx] [38244c8b4820c883] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CreateWindowExW] [ffffb8184189] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowPos] [448b48000002b2e9] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetWindowsHookExW] [1e08318408b3824] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetDC] [24448b485e74c085] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!ReleaseDC] [840c738] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowRect] [18408b3824448b48] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!ScreenToClient] [482674c08510e083] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SetTimer] [244c8b483824448b] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!KillTimer] [8894810498b4838] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!PostMessageW] [18408b3824448b48] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetDlgCtrlID] [38244c8b48fee083] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!DestroyIcon] [448b481deb184189] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowTextW] [20c88318408b3824] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!CopyImage] [18418938244c8b48] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetSysColor] [245e90000ffffb8] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetCursorPos] [8b3824448b480000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetClassInfoW] [448b481841893824] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!LoadCursorW] [efe08318408b3824] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!RegisterClassW] [18418938244c8b48] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!FindWindowW] [840c73824448b48] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindow] [302444c700000000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetWindowThreadProcessId] [3024448b00000000] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SendMessageTimeoutW] [24448b4840244489] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!SwitchToThisWindow] [10c2518408b38] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetLastActivePopup] [cee83775c08500] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!DestroyWindow] [394830c08348fffe] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!RegisterClipboardFormatW] [bee81074382444] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetMenuItemInfoW] [394860c08348fffe] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[USER32.dll!GetMenuItemCount] [244c8b0d75382444] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[WINMM.dll!timeSetEvent] [e838244c8b480a75] IAT C:\Windows\Explorer.EXE[2176] @ C:\Windows\system32\wpdshext.dll[WINMM.dll!timeKillEvent] [24448b48fffdfe8c] ---- Devices - GMER 2.1 ---- Device \Driver\USBSTOR -> DriverStartIo \Device\000000c3 fffff8801275b9c4 Device \Driver\USBSTOR \Device\000000c3 fffff8801276d578 Device \Driver\USBSTOR -> DriverStartIo \Device\000000c4 fffff8801275b9c4 Device \Driver\USBSTOR \Device\000000c4 fffff8801276d578 ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2488:2528] 0000000075967587 Thread [2592:2620] 0000000077ba3e85 Thread [2592:2628] 0000000075967587 Thread [2592:2636] 0000000077ba2e65 Thread [2592:2656] 0000000077ba3e85 Thread [7104:1296] 0000000067584f10 Thread [7104:4172] 0000000077ba2e65 Thread [7104:1488] 0000000070d129e1 Thread [7104:4372] 0000000070d129e1 Thread [7104:6124] 0000000070d129e1 Thread [7104:4328] 0000000070d129e1 Thread [7104:5176] 0000000070d129e1 Thread [7104:7308] 0000000070d129e1 Thread [7104:2188] 0000000070d129e1 Thread [7104:6920] 0000000070d129e1 Thread [7104:8096] 0000000070d129e1 Thread [7104:8104] 0000000077ba3e85 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----