GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-14 11:17:12 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543216L9SA00 rev.FB2OC43C 149.05GB Running: gmer.exe; Driver: C:\Users\graciela\AppData\Local\Temp\fwpdykow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 616 fffff96000164ce4 8 bytes [A0, 97, 0B, 04, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000193f00 7 bytes [80, 9D, F3, FF, 01, A9, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000193f08 3 bytes [C0, 06, 02] .text ... * 106 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 400 fffff96000252c48 14 bytes [2C, 66, AE, 03, 80, F8, FF, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000149770460 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000149770450 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000149770370 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000149770470 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 00000001497703e0 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000149770320 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 00000001497703b0 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000149770390 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 00000001497702e0 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 00000001497702d0 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000149770310 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 00000001497703c0 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 00000001497703f0 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000149770230 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000149770480 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 00000001497703a0 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 00000001497702f0 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000149770350 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000149770290 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 00000001497702b0 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 00000001497703d0 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000149770330 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000149770410 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000149770240 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 00000001497701e0 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000149770250 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000149770490 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 00000001497704a0 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000149770300 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000149770360 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 00000001497702a0 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 00000001497702c0 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000149770380 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000149770340 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000149770440 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000149770260 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000149770270 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000149770400 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 00000001497701f0 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000149770210 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000149770200 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000149770420 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000149770430 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000149770220 .text C:\Windows\system32\csrss.exe[460] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000149770280 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000149770460 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000149770450 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000149770370 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000149770470 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 00000001497703e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000149770320 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 00000001497703b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000149770390 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 00000001497702e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 00000001497702d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000149770310 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 00000001497703c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 00000001497703f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000149770230 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000149770480 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 00000001497703a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 00000001497702f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000149770350 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000149770290 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 00000001497702b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 00000001497703d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000149770330 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000149770410 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000149770240 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 00000001497701e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000149770250 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000149770490 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 00000001497704a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000149770300 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000149770360 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 00000001497702a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 00000001497702c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000149770380 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000149770340 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000149770440 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000149770260 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000149770270 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000149770400 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 00000001497701f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000149770210 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000149770200 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000149770420 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000149770430 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000149770220 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000149770280 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\services.exe[588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\winlogon.exe[596] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsass.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\lsm.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\svchost.exe[732] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\System32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\System32\svchost.exe[912] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\System32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\System32\svchost.exe[948] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\svchost.exe[972] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\svchost.exe[972] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\svchost.exe[1000] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[528] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe[1096] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\WLANExt.exe[1236] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\System32\spoolsv.exe[1448] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\svchost.exe[1476] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1576] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Program Files (x86)\Bonjour\mDNSResponder.exe[1620] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[1656] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Windows\SysWOW64\nlssrv32.exe[1828] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe[1852] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[1988] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Program Files (x86)\Ralink\Common\RaRegistry.exe[2016] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\System32\tcpsvcs.exe[1324] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1340] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\svchost.exe[2068] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\system32\taskhost.exe[2944] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\Explorer.EXE[3028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\Explorer.EXE[3028] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3104] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\System32\rundll32.exe[3112] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\System32\hkcmd.exe[3188] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Windows\System32\igfxpers.exe[3200] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3308] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe[3464] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe[3464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe[3464] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3560] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe[3584] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Program Files (x86)\Ralink\Common\RaUI.exe[3676] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe[3756] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[3804] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe[3804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3816] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe[3884] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe[1152] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Program Files (x86)\Nero\Update\NASvc.exe[3432] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[3604] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe[3604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[3892] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[3892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe[3892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076de1360 5 bytes JMP 0000000076f40460 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076de13b0 5 bytes JMP 0000000076f40450 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076de1510 5 bytes JMP 0000000076f40370 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076de1560 5 bytes JMP 0000000076f40470 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076de1570 5 bytes JMP 0000000076f403e0 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076de1620 5 bytes JMP 0000000076f40320 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076de1650 5 bytes JMP 0000000076f403b0 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076de1670 5 bytes JMP 0000000076f40390 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076de16b0 5 bytes JMP 0000000076f402e0 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076de1730 5 bytes JMP 0000000076f402d0 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076de1750 5 bytes JMP 0000000076f40310 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076de1790 5 bytes JMP 0000000076f403c0 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076de17e0 5 bytes JMP 0000000076f403f0 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076de1940 5 bytes JMP 0000000076f40230 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076de1b00 5 bytes JMP 0000000076f40480 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076de1b30 5 bytes JMP 0000000076f403a0 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076de1c10 5 bytes JMP 0000000076f402f0 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076de1c20 5 bytes JMP 0000000076f40350 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076de1c80 5 bytes JMP 0000000076f40290 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076de1d10 5 bytes JMP 0000000076f402b0 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076de1d30 5 bytes JMP 0000000076f403d0 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076de1d40 5 bytes JMP 0000000076f40330 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076de1db0 5 bytes JMP 0000000076f40410 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076de1de0 5 bytes JMP 0000000076f40240 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076de20a0 5 bytes JMP 0000000076f401e0 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076de2160 5 bytes JMP 0000000076f40250 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076de2190 5 bytes JMP 0000000076f40490 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076de21a0 5 bytes JMP 0000000076f404a0 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076de21d0 5 bytes JMP 0000000076f40300 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076de21e0 5 bytes JMP 0000000076f40360 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076de2240 5 bytes JMP 0000000076f402a0 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076de2290 5 bytes JMP 0000000076f402c0 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076de22c0 5 bytes JMP 0000000076f40380 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076de22d0 5 bytes JMP 0000000076f40340 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076de25c0 5 bytes JMP 0000000076f40440 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076de27c0 5 bytes JMP 0000000076f40260 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076de27d0 5 bytes JMP 0000000076f40270 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076de27e0 5 bytes JMP 0000000076f40400 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076de29a0 5 bytes JMP 0000000076f401f0 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076de29b0 5 bytes JMP 0000000076f40210 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076de2a20 5 bytes JMP 0000000076f40200 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076de2a80 5 bytes JMP 0000000076f40420 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076de2a90 5 bytes JMP 0000000076f40430 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076de2aa0 5 bytes JMP 0000000076f40220 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076de2b80 5 bytes JMP 0000000076f40280 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000076c89b80 13 bytes {JMP QWORD [RIP+0x0]} .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter + 14 0000000076c89b8e 1 byte INT3 .text C:\Users\graciela\AppData\Local\Torch\Plugins\Hola\hola_plugin_x64.exe[4540] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076cceecd 1 byte [62] .text C:\Users\graciela\Downloads\AV\gmer\gmer.exe[3728] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007582a2ba 1 byte [62] ---- EOF - GMER 2.1 ----