GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-29 11:18:44 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932031 rev.0001 298,09GB Running: 0e01wteu.exe; Driver: C:\Users\Tomek\AppData\Local\Temp\ugddrkow.sys ---- User code sections - GMER 2.1 ---- .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text c:\PROGRA~2\AVG\AVG2014\avgrsa.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000100040460 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000100040450 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000100040370 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000100040470 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 00000001000403e0 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000100040320 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 00000001000403b0 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000100040390 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 00000001000402e0 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 00000001000402d0 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000100040310 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 00000001000403c0 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 00000001000403f0 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000100040230 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000100040480 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 00000001000403a0 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 00000001000402f0 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000100040350 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000100040290 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 00000001000402b0 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 00000001000403d0 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000100040330 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000100040410 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000100040240 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 00000001000401e0 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000100040250 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000100040490 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 00000001000404a0 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000100040300 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000100040360 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 00000001000402a0 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 00000001000402c0 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000100040380 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000100040340 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000100040440 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000100040260 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000100040270 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000100040400 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 00000001000401f0 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000100040210 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000100040200 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000100040420 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000100040430 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000100040220 .text C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000100040280 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000149ad0460 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000149ad0450 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000149ad0370 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000149ad0470 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000149ad03e0 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000149ad0320 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000149ad03b0 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000149ad0390 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000149ad02e0 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000149ad02d0 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000149ad0310 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000149ad03c0 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000149ad03f0 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000149ad0230 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000149ad0480 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000149ad03a0 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000149ad02f0 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000149ad0350 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000149ad0290 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000149ad02b0 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000149ad03d0 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000149ad0330 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000149ad0410 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000149ad0240 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000149ad01e0 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000149ad0250 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000149ad0490 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000149ad04a0 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000149ad0300 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000149ad0360 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000149ad02a0 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000149ad02c0 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000149ad0380 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000149ad0340 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000149ad0440 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000149ad0260 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000149ad0270 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000149ad0400 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000149ad01f0 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000149ad0210 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000149ad0200 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000149ad0420 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000149ad0430 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000149ad0220 .text C:\Windows\system32\csrss.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000149ad0280 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\wininit.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\wininit.exe[972] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caef8d 1 byte [62] .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000149ad0460 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000149ad0450 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000149ad0370 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000149ad0470 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000149ad03e0 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000149ad0320 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000149ad03b0 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000149ad0390 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000149ad02e0 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000149ad02d0 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000149ad0310 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000149ad03c0 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000149ad03f0 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000149ad0230 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000149ad0480 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000149ad03a0 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000149ad02f0 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000149ad0350 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000149ad0290 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000149ad02b0 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000149ad03d0 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000149ad0330 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000149ad0410 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000149ad0240 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000149ad01e0 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000149ad0250 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000149ad0490 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000149ad04a0 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000149ad0300 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000149ad0360 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000149ad02a0 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000149ad02c0 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000149ad0380 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000149ad0340 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000149ad0440 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000149ad0260 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000149ad0270 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000149ad0400 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000149ad01f0 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000149ad0210 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000149ad0200 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000149ad0420 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000149ad0430 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000149ad0220 .text C:\Windows\system32\csrss.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000149ad0280 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\services.exe[296] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\services.exe[296] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caef8d 1 byte [62] .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\lsass.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\lsm.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\winlogon.exe[900] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\atiesrxx.exe[1208] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\System32\svchost.exe[1324] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1352] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1396] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caef8d 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\atieclxx.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\WLANExt.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\System32\spoolsv.exe[1636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe[1944] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e2a2fd 1 byte [62] .text C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe[2028] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e2a2fd 1 byte [62] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2060] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caef8d 1 byte [62] .text C:\Program Files (x86)\Realtek\Realtek USB 2.0 Card Reader\RIconMan.exe[2092] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e2a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2124] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e2a2fd 1 byte [62] .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2184] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e2a2fd 1 byte [62] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[2396] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e2a2fd 1 byte [62] .text C:\Windows\system32\TODDSrv.exe[2448] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caef8d 1 byte [62] .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2480] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caef8d 1 byte [62] .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000100070460 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000100070450 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000100070370 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000100070470 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 00000001000703e0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000100070320 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 00000001000703b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000100070390 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 00000001000702e0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 00000001000702d0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000100070310 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 00000001000703c0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 00000001000703f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000100070230 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000100070480 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 00000001000703a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 00000001000702f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000100070350 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000100070290 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 00000001000702b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 00000001000703d0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000100070330 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000100070410 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000100070240 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 00000001000701e0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000100070250 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000100070490 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 00000001000704a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000100070300 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000100070360 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 00000001000702a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 00000001000702c0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000100070380 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000100070340 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000100070440 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000100070260 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000100070270 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000100070400 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 00000001000701f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000100070210 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000100070200 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000100070420 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000100070430 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000100070220 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000100070280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2660] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e2a2fd 1 byte [62] ? C:\Windows\system32\mssprxy.dll [2660] entry point in ".rdata" section 000000006dc771e6 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3080] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e2a2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076561465 2 bytes [56, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765614bb 2 bytes [56, 76] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\SearchIndexer.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe[4292] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000100070460 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000100070450 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000100070370 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000100070470 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 00000001000703e0 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000100070320 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 00000001000703b0 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000100070390 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 00000001000702e0 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 00000001000702d0 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000100070310 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 00000001000703c0 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 00000001000703f0 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000100070230 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000100070480 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 00000001000703a0 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 00000001000702f0 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000100070350 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000100070290 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 00000001000702b0 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 00000001000703d0 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000100070330 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000100070410 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000100070240 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 00000001000701e0 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000100070250 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000100070490 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 00000001000704a0 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000100070300 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000100070360 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 00000001000702a0 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 00000001000702c0 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000100070380 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000100070340 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000100070440 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000100070260 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000100070270 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000100070400 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 00000001000701f0 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000100070210 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000100070200 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000100070420 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000100070430 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000100070220 .text C:\Program Files (x86)\AVG\AVG2014\avgemca.exe[4304] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000100070280 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe[4732] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caef8d 1 byte [62] .text C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe[4840] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e2a2fd 1 byte [62] .text c:\Program Files (x86)\Nero\Update\NASvc.exe[5032] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e2a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e2a2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076561465 2 bytes [56, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765614bb 2 bytes [56, 76] .text ... * 2 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\taskhost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\taskeng.exe[4976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\Explorer.EXE[4284] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\Explorer.EXE[4284] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caef8d 1 byte [62] .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[3844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\ProgramData\DatacardService\DCSHelper.exe[2640] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e2a2fd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\AUDIODG.EXE[4144] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3008] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076caef8d 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2904] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000074e08791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[2904] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e2a2fd 1 byte [62] .text C:\Program Files (x86)\AVG\AVG2014\avgui.exe[4680] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e2a2fd 1 byte [62] .text C:\Windows\SysWOW64\ctfmon.exe[1456] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e2a2fd 1 byte [62] .text C:\Users\Tomek\Desktop\0e01wteu.exe[5160] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074e2a2fd 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4476:4512] 000007fefcc00168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4476:4212] 000007fef9de2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4476:824] 000007fef37e4830 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4476:2672] 000007fef8745124 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2184] 000000006fbc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2184](2013-09-01 06:49:18) 000000006e940000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2184](2 000000006a1c0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2184](2013-09-01 06:49:18) 000000006ff00000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2184](2013-09-01 06:49:18) 000000006efc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2184](201 000000006ed40000 ---- Files - GMER 2.1 ---- ADS C:\Temp:026EB853.dat 3974123 bytes executable ---- EOF - GMER 2.1 ----