GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-04-03 02:55:36 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298,09GB Running: 1bf36rgn.exe; Driver: C:\Users\Zosia\AppData\Local\Temp\ugtyipod.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f513c0 5 bytes JMP 000000014a600470 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f51410 5 bytes JMP 000000014a600460 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51570 5 bytes JMP 000000014a600370 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f515c0 5 bytes JMP 000000014a600480 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f515d0 5 bytes JMP 000000014a6003e0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51680 5 bytes JMP 000000014a600320 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f516b0 5 bytes JMP 000000014a6003b0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f516d0 5 bytes JMP 000000014a600390 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f51710 5 bytes JMP 000000014a6002e0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f51760 5 bytes JMP 000000014a600440 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51790 5 bytes JMP 000000014a6002d0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f517b0 5 bytes JMP 000000014a600310 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f517f0 5 bytes JMP 000000014a6003c0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f51840 5 bytes JMP 000000014a6003f0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f519a0 1 byte JMP 000000014a600230 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f519a2 3 bytes {JMP 0xffffffffd36ae890} .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b60 5 bytes JMP 000000014a600490 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b90 5 bytes JMP 000000014a6003a0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c70 5 bytes JMP 000000014a6002f0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c80 5 bytes JMP 000000014a600350 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51ce0 5 bytes JMP 000000014a600290 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d70 5 bytes JMP 000000014a6002b0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d90 5 bytes JMP 000000014a6003d0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51da0 1 byte JMP 000000014a600330 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f51da2 3 bytes {JMP 0xffffffffd36ae590} .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51e10 5 bytes JMP 000000014a600410 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51e40 5 bytes JMP 000000014a600240 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f52100 5 bytes JMP 000000014a6001e0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f521c0 1 byte JMP 000000014a600250 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f521c2 3 bytes {JMP 0xffffffffd36ae090} .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f521f0 5 bytes JMP 000000014a6004a0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f52200 5 bytes JMP 000000014a6004b0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f52230 5 bytes JMP 000000014a600300 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f52240 5 bytes JMP 000000014a600360 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f522a0 5 bytes JMP 000000014a6002a0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f522f0 5 bytes JMP 000000014a6002c0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f52320 5 bytes JMP 000000014a600380 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f52330 5 bytes JMP 000000014a600340 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f52620 5 bytes JMP 000000014a600450 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f52820 5 bytes JMP 000000014a600260 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f52830 5 bytes JMP 000000014a600270 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f52840 5 bytes JMP 000000014a600400 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f52a00 5 bytes JMP 000000014a6001f0 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f52a10 5 bytes JMP 000000014a600210 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a80 5 bytes JMP 000000014a600200 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52ae0 5 bytes JMP 000000014a600420 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52af0 5 bytes JMP 000000014a600430 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52b00 5 bytes JMP 000000014a600220 .text C:\Windows\system32\csrss.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52be0 5 bytes JMP 000000014a600280 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f513c0 5 bytes JMP 00000000770b0470 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f51410 5 bytes JMP 00000000770b0460 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51570 5 bytes JMP 00000000770b0370 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f515c0 5 bytes JMP 00000000770b0480 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f515d0 5 bytes JMP 00000000770b03e0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51680 5 bytes JMP 00000000770b0320 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f516b0 5 bytes JMP 00000000770b03b0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f516d0 5 bytes JMP 00000000770b0390 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f51710 5 bytes JMP 00000000770b02e0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f51760 5 bytes JMP 00000000770b0440 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51790 5 bytes JMP 00000000770b02d0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f517b0 5 bytes JMP 00000000770b0310 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f517f0 5 bytes JMP 00000000770b03c0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f51840 5 bytes JMP 00000000770b03f0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f519a0 1 byte JMP 00000000770b0230 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b60 5 bytes JMP 00000000770b0490 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b90 5 bytes JMP 00000000770b03a0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c70 5 bytes JMP 00000000770b02f0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c80 5 bytes JMP 00000000770b0350 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51ce0 5 bytes JMP 00000000770b0290 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d70 5 bytes JMP 00000000770b02b0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d90 5 bytes JMP 00000000770b03d0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51da0 1 byte JMP 00000000770b0330 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51e10 5 bytes JMP 00000000770b0410 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51e40 5 bytes JMP 00000000770b0240 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f52100 5 bytes JMP 00000000770b01e0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f521c0 1 byte JMP 00000000770b0250 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f521f0 5 bytes JMP 00000000770b04a0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f52200 5 bytes JMP 00000000770b04b0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f52230 5 bytes JMP 00000000770b0300 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f52240 5 bytes JMP 00000000770b0360 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f522a0 5 bytes JMP 00000000770b02a0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f522f0 5 bytes JMP 00000000770b02c0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f52320 5 bytes JMP 00000000770b0380 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f52330 5 bytes JMP 00000000770b0340 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f52620 5 bytes JMP 00000000770b0450 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f52820 5 bytes JMP 00000000770b0260 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f52830 5 bytes JMP 00000000770b0270 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f52840 5 bytes JMP 00000000770b0400 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f52a00 5 bytes JMP 00000000770b01f0 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f52a10 5 bytes JMP 00000000770b0210 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a80 5 bytes JMP 00000000770b0200 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52ae0 5 bytes JMP 00000000770b0420 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52af0 5 bytes JMP 00000000770b0430 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52b00 5 bytes JMP 00000000770b0220 .text C:\Windows\system32\lsass.exe[644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52be0 5 bytes JMP 00000000770b0280 .text C:\Windows\system32\lsass.exe[644] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e3eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f513c0 5 bytes JMP 00000000770b0470 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f51410 5 bytes JMP 00000000770b0460 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51570 5 bytes JMP 00000000770b0370 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f515c0 5 bytes JMP 00000000770b0480 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f515d0 5 bytes JMP 00000000770b03e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51680 5 bytes JMP 00000000770b0320 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f516b0 5 bytes JMP 00000000770b03b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f516d0 5 bytes JMP 00000000770b0390 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f51710 5 bytes JMP 00000000770b02e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f51760 5 bytes JMP 00000000770b0440 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51790 5 bytes JMP 00000000770b02d0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f517b0 5 bytes JMP 00000000770b0310 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f517f0 5 bytes JMP 00000000770b03c0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f51840 5 bytes JMP 00000000770b03f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f519a0 1 byte JMP 00000000770b0230 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b60 5 bytes JMP 00000000770b0490 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b90 5 bytes JMP 00000000770b03a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c70 5 bytes JMP 00000000770b02f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c80 5 bytes JMP 00000000770b0350 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51ce0 5 bytes JMP 00000000770b0290 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d70 5 bytes JMP 00000000770b02b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d90 5 bytes JMP 00000000770b03d0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51da0 1 byte JMP 00000000770b0330 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51e10 5 bytes JMP 00000000770b0410 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51e40 5 bytes JMP 00000000770b0240 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f52100 5 bytes JMP 00000000770b01e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f521c0 1 byte JMP 00000000770b0250 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f521f0 5 bytes JMP 00000000770b04a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f52200 5 bytes JMP 00000000770b04b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f52230 5 bytes JMP 00000000770b0300 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f52240 5 bytes JMP 00000000770b0360 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f522a0 5 bytes JMP 00000000770b02a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f522f0 5 bytes JMP 00000000770b02c0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f52320 5 bytes JMP 00000000770b0380 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f52330 5 bytes JMP 00000000770b0340 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f52620 5 bytes JMP 00000000770b0450 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f52820 5 bytes JMP 00000000770b0260 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f52830 5 bytes JMP 00000000770b0270 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f52840 5 bytes JMP 00000000770b0400 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f52a00 5 bytes JMP 00000000770b01f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f52a10 5 bytes JMP 00000000770b0210 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a80 5 bytes JMP 00000000770b0200 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52ae0 5 bytes JMP 00000000770b0420 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52af0 5 bytes JMP 00000000770b0430 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52b00 5 bytes JMP 00000000770b0220 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52be0 5 bytes JMP 00000000770b0280 .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e3eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f513c0 5 bytes JMP 00000000770b0470 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f51410 5 bytes JMP 00000000770b0460 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51570 5 bytes JMP 00000000770b0370 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f515c0 5 bytes JMP 00000000770b0480 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f515d0 5 bytes JMP 00000000770b03e0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51680 5 bytes JMP 00000000770b0320 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f516b0 5 bytes JMP 00000000770b03b0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f516d0 5 bytes JMP 00000000770b0390 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f51710 5 bytes JMP 00000000770b02e0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f51760 5 bytes JMP 00000000770b0440 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51790 5 bytes JMP 00000000770b02d0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f517b0 5 bytes JMP 00000000770b0310 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f517f0 5 bytes JMP 00000000770b03c0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f51840 5 bytes JMP 00000000770b03f0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f519a0 1 byte JMP 00000000770b0230 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f519a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b60 5 bytes JMP 00000000770b0490 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b90 5 bytes JMP 00000000770b03a0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c70 5 bytes JMP 00000000770b02f0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c80 5 bytes JMP 00000000770b0350 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51ce0 5 bytes JMP 00000000770b0290 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d70 5 bytes JMP 00000000770b02b0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d90 5 bytes JMP 00000000770b03d0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51da0 1 byte JMP 00000000770b0330 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f51da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51e10 5 bytes JMP 00000000770b0410 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51e40 5 bytes JMP 00000000770b0240 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f52100 5 bytes JMP 00000000770b01e0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f521c0 1 byte JMP 00000000770b0250 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f521c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f521f0 5 bytes JMP 00000000770b04a0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f52200 5 bytes JMP 00000000770b04b0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f52230 5 bytes JMP 00000000770b0300 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f52240 5 bytes JMP 00000000770b0360 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f522a0 5 bytes JMP 00000000770b02a0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f522f0 5 bytes JMP 00000000770b02c0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f52320 5 bytes JMP 00000000770b0380 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f52330 5 bytes JMP 00000000770b0340 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f52620 5 bytes JMP 00000000770b0450 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f52820 5 bytes JMP 00000000770b0260 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f52830 5 bytes JMP 00000000770b0270 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f52840 5 bytes JMP 00000000770b0400 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f52a00 5 bytes JMP 00000000770b01f0 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f52a10 5 bytes JMP 00000000770b0210 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a80 5 bytes JMP 00000000770b0200 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52ae0 5 bytes JMP 00000000770b0420 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52af0 5 bytes JMP 00000000770b0430 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52b00 5 bytes JMP 00000000770b0220 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52be0 5 bytes JMP 00000000770b0280 .text C:\Windows\System32\svchost.exe[1016] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e3eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f513c0 5 bytes JMP 00000000770b0470 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f51410 5 bytes JMP 00000000770b0460 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51570 5 bytes JMP 00000000770b0370 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f515c0 5 bytes JMP 00000000770b0480 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f515d0 5 bytes JMP 00000000770b03e0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51680 5 bytes JMP 00000000770b0320 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f516b0 5 bytes JMP 00000000770b03b0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f516d0 5 bytes JMP 00000000770b0390 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f51710 5 bytes JMP 00000000770b02e0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f51760 5 bytes JMP 00000000770b0440 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51790 5 bytes JMP 00000000770b02d0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f517b0 5 bytes JMP 00000000770b0310 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f517f0 5 bytes JMP 00000000770b03c0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f51840 5 bytes JMP 00000000770b03f0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f519a0 1 byte JMP 00000000770b0230 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f519a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b60 5 bytes JMP 00000000770b0490 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b90 5 bytes JMP 00000000770b03a0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c70 5 bytes JMP 00000000770b02f0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c80 5 bytes JMP 00000000770b0350 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51ce0 5 bytes JMP 00000000770b0290 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d70 5 bytes JMP 00000000770b02b0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d90 5 bytes JMP 00000000770b03d0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51da0 1 byte JMP 00000000770b0330 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f51da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51e10 5 bytes JMP 00000000770b0410 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51e40 5 bytes JMP 00000000770b0240 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f52100 5 bytes JMP 00000000770b01e0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f521c0 1 byte JMP 00000000770b0250 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f521c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f521f0 5 bytes JMP 00000000770b04a0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f52200 5 bytes JMP 00000000770b04b0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f52230 5 bytes JMP 00000000770b0300 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f52240 5 bytes JMP 00000000770b0360 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f522a0 5 bytes JMP 00000000770b02a0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f522f0 5 bytes JMP 00000000770b02c0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f52320 5 bytes JMP 00000000770b0380 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f52330 5 bytes JMP 00000000770b0340 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f52620 5 bytes JMP 00000000770b0450 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f52820 5 bytes JMP 00000000770b0260 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f52830 5 bytes JMP 00000000770b0270 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f52840 5 bytes JMP 00000000770b0400 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f52a00 5 bytes JMP 00000000770b01f0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f52a10 5 bytes JMP 00000000770b0210 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a80 5 bytes JMP 00000000770b0200 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52ae0 5 bytes JMP 00000000770b0420 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52af0 5 bytes JMP 00000000770b0430 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52b00 5 bytes JMP 00000000770b0220 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52be0 5 bytes JMP 00000000770b0280 .text C:\Windows\System32\svchost.exe[408] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e3eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f513c0 5 bytes JMP 00000000770b0470 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f51410 5 bytes JMP 00000000770b0460 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51570 5 bytes JMP 00000000770b0370 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f515c0 5 bytes JMP 00000000770b0480 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f515d0 5 bytes JMP 00000000770b03e0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51680 5 bytes JMP 00000000770b0320 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f516b0 5 bytes JMP 00000000770b03b0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f516d0 5 bytes JMP 00000000770b0390 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f51710 5 bytes JMP 00000000770b02e0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f51760 5 bytes JMP 00000000770b0440 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51790 5 bytes JMP 00000000770b02d0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f517b0 5 bytes JMP 00000000770b0310 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f517f0 5 bytes JMP 00000000770b03c0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f51840 5 bytes JMP 00000000770b03f0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f519a0 1 byte JMP 00000000770b0230 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b60 5 bytes JMP 00000000770b0490 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b90 5 bytes JMP 00000000770b03a0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c70 5 bytes JMP 00000000770b02f0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c80 5 bytes JMP 00000000770b0350 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51ce0 5 bytes JMP 00000000770b0290 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d70 5 bytes JMP 00000000770b02b0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d90 5 bytes JMP 00000000770b03d0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51da0 1 byte JMP 00000000770b0330 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51e10 5 bytes JMP 00000000770b0410 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51e40 5 bytes JMP 00000000770b0240 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f52100 5 bytes JMP 00000000770b01e0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f521c0 1 byte JMP 00000000770b0250 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f521f0 5 bytes JMP 00000000770b04a0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f52200 5 bytes JMP 00000000770b04b0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f52230 5 bytes JMP 00000000770b0300 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f52240 5 bytes JMP 00000000770b0360 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f522a0 5 bytes JMP 00000000770b02a0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f522f0 5 bytes JMP 00000000770b02c0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f52320 5 bytes JMP 00000000770b0380 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f52330 5 bytes JMP 00000000770b0340 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f52620 5 bytes JMP 00000000770b0450 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f52820 5 bytes JMP 00000000770b0260 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f52830 5 bytes JMP 00000000770b0270 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f52840 5 bytes JMP 00000000770b0400 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f52a00 5 bytes JMP 00000000770b01f0 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f52a10 5 bytes JMP 00000000770b0210 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a80 5 bytes JMP 00000000770b0200 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52ae0 5 bytes JMP 00000000770b0420 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52af0 5 bytes JMP 00000000770b0430 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52b00 5 bytes JMP 00000000770b0220 .text C:\Windows\system32\svchost.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52be0 5 bytes JMP 00000000770b0280 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f513c0 5 bytes JMP 00000000770b0470 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f51410 5 bytes JMP 00000000770b0460 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51570 5 bytes JMP 00000000770b0370 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f515c0 5 bytes JMP 00000000770b0480 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f515d0 5 bytes JMP 00000000770b03e0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51680 5 bytes JMP 00000000770b0320 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f516b0 5 bytes JMP 00000000770b03b0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f516d0 5 bytes JMP 00000000770b0390 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f51710 5 bytes JMP 00000000770b02e0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f51760 5 bytes JMP 00000000770b0440 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51790 5 bytes JMP 00000000770b02d0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f517b0 5 bytes JMP 00000000770b0310 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f517f0 5 bytes JMP 00000000770b03c0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f51840 5 bytes JMP 00000000770b03f0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f519a0 1 byte JMP 00000000770b0230 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b60 5 bytes JMP 00000000770b0490 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b90 5 bytes JMP 00000000770b03a0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c70 5 bytes JMP 00000000770b02f0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c80 5 bytes JMP 00000000770b0350 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51ce0 5 bytes JMP 00000000770b0290 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d70 5 bytes JMP 00000000770b02b0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d90 5 bytes JMP 00000000770b03d0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51da0 1 byte JMP 00000000770b0330 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51e10 5 bytes JMP 00000000770b0410 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51e40 5 bytes JMP 00000000770b0240 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f52100 5 bytes JMP 00000000770b01e0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f521c0 1 byte JMP 00000000770b0250 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f521f0 5 bytes JMP 00000000770b04a0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f52200 5 bytes JMP 00000000770b04b0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f52230 5 bytes JMP 00000000770b0300 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f52240 5 bytes JMP 00000000770b0360 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f522a0 5 bytes JMP 00000000770b02a0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f522f0 5 bytes JMP 00000000770b02c0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f52320 5 bytes JMP 00000000770b0380 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f52330 5 bytes JMP 00000000770b0340 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f52620 5 bytes JMP 00000000770b0450 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f52820 5 bytes JMP 00000000770b0260 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f52830 5 bytes JMP 00000000770b0270 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f52840 5 bytes JMP 00000000770b0400 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f52a00 5 bytes JMP 00000000770b01f0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f52a10 5 bytes JMP 00000000770b0210 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a80 5 bytes JMP 00000000770b0200 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52ae0 5 bytes JMP 00000000770b0420 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52af0 5 bytes JMP 00000000770b0430 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52b00 5 bytes JMP 00000000770b0220 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52be0 5 bytes JMP 00000000770b0280 .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e3eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f513c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f51410 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f515c0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f515d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f516b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f516d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f51710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f51760 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f517b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f517f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f51840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f519a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f519a2 3 bytes {JMP 0xffffffff8911e890} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b60 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f51da2 3 bytes {JMP 0xffffffff8911e590} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f52100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f521c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f521c2 3 bytes {JMP 0xffffffff8911e090} .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f521f0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f52200 5 bytes JMP 00000001000704b0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f52230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f52240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f522a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f522f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f52320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f52330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f52620 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f52820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f52830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f52840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f52a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f52a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e3eecd 1 byte [62] .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f513c0 5 bytes JMP 00000000770b0470 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f51410 5 bytes JMP 00000000770b0460 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51570 5 bytes JMP 00000000770b0370 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f515c0 5 bytes JMP 00000000770b0480 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f515d0 5 bytes JMP 00000000770b03e0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51680 5 bytes JMP 00000000770b0320 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f516b0 5 bytes JMP 00000000770b03b0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f516d0 5 bytes JMP 00000000770b0390 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f51710 5 bytes JMP 00000000770b02e0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f51760 5 bytes JMP 00000000770b0440 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51790 5 bytes JMP 00000000770b02d0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f517b0 5 bytes JMP 00000000770b0310 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f517f0 5 bytes JMP 00000000770b03c0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f51840 5 bytes JMP 00000000770b03f0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f519a0 1 byte JMP 00000000770b0230 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f519a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b60 5 bytes JMP 00000000770b0490 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b90 5 bytes JMP 00000000770b03a0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c70 5 bytes JMP 00000000770b02f0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c80 5 bytes JMP 00000000770b0350 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51ce0 5 bytes JMP 00000000770b0290 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d70 5 bytes JMP 00000000770b02b0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d90 5 bytes JMP 00000000770b03d0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51da0 1 byte JMP 00000000770b0330 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f51da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51e10 5 bytes JMP 00000000770b0410 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51e40 5 bytes JMP 00000000770b0240 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f52100 5 bytes JMP 00000000770b01e0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f521c0 1 byte JMP 00000000770b0250 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f521c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f521f0 5 bytes JMP 00000000770b04a0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f52200 5 bytes JMP 00000000770b04b0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f52230 5 bytes JMP 00000000770b0300 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f52240 5 bytes JMP 00000000770b0360 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f522a0 5 bytes JMP 00000000770b02a0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f522f0 5 bytes JMP 00000000770b02c0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f52320 5 bytes JMP 00000000770b0380 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f52330 5 bytes JMP 00000000770b0340 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f52620 5 bytes JMP 00000000770b0450 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f52820 5 bytes JMP 00000000770b0260 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f52830 5 bytes JMP 00000000770b0270 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f52840 5 bytes JMP 00000000770b0400 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f52a00 5 bytes JMP 00000000770b01f0 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f52a10 5 bytes JMP 00000000770b0210 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a80 5 bytes JMP 00000000770b0200 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52ae0 5 bytes JMP 00000000770b0420 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52af0 5 bytes JMP 00000000770b0430 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52b00 5 bytes JMP 00000000770b0220 .text C:\Windows\Explorer.EXE[1660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52be0 5 bytes JMP 00000000770b0280 .text C:\Windows\Explorer.EXE[1660] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e3eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1944] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e3eecd 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2516] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a2a30a 1 byte [62] .text C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe[3500] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a2a30a 1 byte [62] .text C:\Program Files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe[3584] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a2a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000770ffaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000770ffb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770ffc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077100018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4768] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077101900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4768] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007711c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4768] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077121217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4768] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075a2a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4768] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075c0ee09 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4768] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075c13982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4768] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075c17603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4768] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075c1835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[4768] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075c2f52b 5 bytes JMP 0000000100110a08 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f513c0 5 bytes JMP 00000001001b0470 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f51410 5 bytes JMP 00000001001b0460 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51570 5 bytes JMP 00000001001b0370 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f515c0 5 bytes JMP 00000001001b0480 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f515d0 5 bytes JMP 00000001001b03e0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51680 5 bytes JMP 00000001001b0320 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f516b0 5 bytes JMP 00000001001b03b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f516d0 5 bytes JMP 00000001001b0390 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f51710 5 bytes JMP 00000001001b02e0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f51760 5 bytes JMP 00000001001b0440 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51790 5 bytes JMP 00000001001b02d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f517b0 5 bytes JMP 00000001001b0310 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f517f0 5 bytes JMP 00000001001b03c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f51840 5 bytes JMP 00000001001b03f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f519a0 1 byte JMP 00000001001b0230 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f519a2 3 bytes {JMP 0xffffffff8925e890} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b60 5 bytes JMP 00000001001b0490 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b90 5 bytes JMP 00000001001b03a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c70 5 bytes JMP 00000001001b02f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c80 5 bytes JMP 00000001001b0350 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51ce0 5 bytes JMP 00000001001b0290 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d70 5 bytes JMP 00000001001b02b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d90 5 bytes JMP 00000001001b03d0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51da0 1 byte JMP 00000001001b0330 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f51da2 3 bytes {JMP 0xffffffff8925e590} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51e10 5 bytes JMP 00000001001b0410 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51e40 5 bytes JMP 00000001001b0240 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f52100 5 bytes JMP 00000001001b01e0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f521c0 1 byte JMP 00000001001b0250 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f521c2 3 bytes {JMP 0xffffffff8925e090} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f521f0 5 bytes JMP 00000001001b04a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f52200 5 bytes JMP 00000001001b04b0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f52230 5 bytes JMP 00000001001b0300 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f52240 5 bytes JMP 00000001001b0360 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f522a0 5 bytes JMP 00000001001b02a0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f522f0 5 bytes JMP 00000001001b02c0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f52320 5 bytes JMP 00000001001b0380 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f52330 5 bytes JMP 00000001001b0340 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f52620 5 bytes JMP 00000001001b0450 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f52820 5 bytes JMP 00000001001b0260 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f52830 5 bytes JMP 00000001001b0270 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f52840 5 bytes JMP 00000001001b0400 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f52a00 5 bytes JMP 00000001001b01f0 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f52a10 5 bytes JMP 00000001001b0210 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a80 5 bytes JMP 00000001001b0200 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52ae0 5 bytes JMP 00000001001b0420 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52af0 5 bytes JMP 00000001001b0430 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52b00 5 bytes JMP 00000001001b0220 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52be0 5 bytes JMP 00000001001b0280 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a2a30a 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d81465 2 bytes [D8, 74] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4136] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d814bb 2 bytes [D8, 74] .text ... * 2 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000770ffaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000770ffb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770ffc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077100018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[2476] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077101900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[2476] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007711c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[2476] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077121217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[2476] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075a2a30a 1 byte [62] .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[2476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d81465 2 bytes [D8, 74] .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[2476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d814bb 2 bytes [D8, 74] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f23ae0 5 bytes JMP 000000010046075c .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076f27a90 5 bytes JMP 00000001004603a4 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f513c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f51410 5 bytes JMP 0000000100070460 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076f51490 5 bytes JMP 0000000100460b14 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076f514f0 5 bytes JMP 0000000100460ecc .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f515c0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f515d0 5 bytes JMP 000000010046163c .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f516b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f516d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f51710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f51760 5 bytes JMP 0000000100070440 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f517b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f517f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076f51810 5 bytes JMP 0000000100461284 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f51840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f519a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f519a2 3 bytes {JMP 0xffffffff8911e890} .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b60 5 bytes JMP 0000000100070490 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f51da2 3 bytes {JMP 0xffffffff8911e590} .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f52100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f521c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f521c2 3 bytes {JMP 0xffffffff8911e090} .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f521f0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f52200 5 bytes JMP 00000001000704b0 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f52230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f52240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f522a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f522f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f52320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f52330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f52620 5 bytes JMP 0000000100070450 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f52820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f52830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f52840 5 bytes JMP 00000001004619f4 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f52a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f52a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\SearchIndexer.exe[5884] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076e3eecd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[5584] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076e3eecd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000770ffaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000770ffb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770ffc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077100018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[700] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077101900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[700] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007711c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[700] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077121217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[700] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075a2a30a 1 byte [62] .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[6548] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076e3eecd 1 byte [62] .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[6548] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd686e00 5 bytes JMP 000007ff7d6a1dac .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[6548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd686f2c 5 bytes JMP 000007ff7d6a0ecc .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[6548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd687220 5 bytes JMP 000007ff7d6a1284 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[6548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd68739c 5 bytes JMP 000007ff7d6a163c .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[6548] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd687538 5 bytes JMP 000007ff7d6a19f4 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[6548] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd6875e8 5 bytes JMP 000007ff7d6a03a4 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[6548] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd68790c 5 bytes JMP 000007ff7d6a075c .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[6548] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd687ab4 5 bytes JMP 000007ff7d6a0b14 .text C:\Program Files\Sony\VAIO Care\VCService.exe[5500] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000770ffaa0 5 bytes JMP 0000000100030600 .text C:\Program Files\Sony\VAIO Care\VCService.exe[5500] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000770ffb38 5 bytes JMP 0000000100030804 .text C:\Program Files\Sony\VAIO Care\VCService.exe[5500] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770ffc90 5 bytes JMP 0000000100030c0c .text C:\Program Files\Sony\VAIO Care\VCService.exe[5500] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077100018 5 bytes JMP 0000000100030a08 .text C:\Program Files\Sony\VAIO Care\VCService.exe[5500] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077101900 5 bytes JMP 0000000100030e10 .text C:\Program Files\Sony\VAIO Care\VCService.exe[5500] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007711c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files\Sony\VAIO Care\VCService.exe[5500] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077121217 5 bytes JMP 00000001000303fc .text C:\Program Files\Sony\VAIO Care\VCService.exe[5500] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075a2a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000770ffaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000770ffb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770ffc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077100018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe[1248] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077101900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe[1248] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007711c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe[1248] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077121217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe[1248] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075a2a30a 1 byte [62] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000770ffaa0 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000770ffb38 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770ffc90 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077100018 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077101900 5 bytes JMP 0000000100030e10 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007711c45a 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077121217 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075a2a30a 1 byte [62] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\syswow64\user32.DLL!SetWinEventHook 0000000075c0ee09 5 bytes JMP 00000001000901f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\syswow64\user32.DLL!UnhookWinEvent 0000000075c13982 5 bytes JMP 00000001000903fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000075c17603 5 bytes JMP 0000000100090804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 0000000075c1835c 5 bytes JMP 0000000100090600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx 0000000075c2f52b 5 bytes JMP 0000000100090a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 0000000100121014 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 0000000100120804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 0000000100120a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 0000000100120c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 0000000100120e10 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001001201f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001001203fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 0000000100120600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d81465 2 bytes [D8, 74] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[2948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d814bb 2 bytes [D8, 74] .text ... * 2 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000770ff991 8 bytes {MOV EDX, 0x903e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 15 00000000770ff99b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 5 00000000770ffa0d 8 bytes {MOV EDX, 0x901a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 15 00000000770ffa17 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000770ffaa0 5 bytes JMP 00000001000d0600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 5 00000000770ffb25 8 bytes {MOV EDX, 0x90168; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 15 00000000770ffb2f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000770ffb38 5 bytes JMP 00000001000d0804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000770ffbd5 8 bytes {MOV EDX, 0x90428; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 15 00000000770ffbdf 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000770ffc05 8 bytes {MOV EDX, 0x90368; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 15 00000000770ffc0f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000770ffc1d 8 bytes {MOV EDX, 0x90128; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 15 00000000770ffc27 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000770ffc35 8 bytes {MOV EDX, 0x904e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 15 00000000770ffc3f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000770ffc65 8 bytes {MOV EDX, 0x90528; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 15 00000000770ffc6f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000770ffc90 5 bytes JMP 00000001000d0c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000770ffce5 8 bytes {MOV EDX, 0x904a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 15 00000000770ffcef 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000770ffcfd 8 bytes {MOV EDX, 0x90468; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 15 00000000770ffd07 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000770ffd49 8 bytes {MOV EDX, 0x90068; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 15 00000000770ffd53 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 5 00000000770ffdad 8 bytes {MOV EDX, 0x902e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 15 00000000770ffdb7 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000770ffe41 8 bytes {MOV EDX, 0x900a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 15 00000000770ffe4b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 5 00000000770fff89 8 bytes {MOV EDX, 0x902a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 15 00000000770fff93 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077100018 5 bytes JMP 00000001000d0a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077100099 8 bytes {MOV EDX, 0x90028; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 15 00000000771000a3 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 5 0000000077100781 8 bytes {MOV EDX, 0x90268; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 15 000000007710078b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 5 0000000077100ffd 8 bytes {MOV EDX, 0x901e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 15 0000000077101007 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant + 5 000000007710105d 8 bytes {MOV EDX, 0x90228; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant + 15 0000000077101067 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000771010a5 8 bytes {MOV EDX, 0x903a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 15 00000000771010af 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007710111d 8 bytes {MOV EDX, 0x90328; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 15 0000000077101127 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077101321 8 bytes {MOV EDX, 0x900e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 15 000000007710132b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077101900 5 bytes JMP 00000001000d0e10 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007711c45a 5 bytes JMP 00000001000d01f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077121217 5 bytes JMP 00000001000d03fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 0000000075a0103d 5 bytes JMP 0000000100010030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075a01072 5 bytes JMP 0000000100010070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075a2a30a 1 byte [62] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\KERNELBASE.dll!CreateEventW 0000000074fc119f 5 bytes JMP 0000000100020030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\KERNELBASE.dll!OpenEventW 0000000074fc11cf 5 bytes JMP 0000000100020070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!MapWindowPoints 0000000075c08c40 5 bytes JMP 00000001000f0570 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!RegisterClipboardFormatW 0000000075c09ebd 5 bytes JMP 00000001000f02b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!SetWinEventHook 0000000075c0ee09 5 bytes JMP 00000001001001f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!RegisterClipboardFormatA 0000000075c10afa 5 bytes JMP 00000001000f02f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!GetClientRect 0000000075c10c62 7 bytes JMP 00000001000f05b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!GetParent 0000000075c10f68 7 bytes JMP 00000001000f06f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!IsWindowVisible 0000000075c1112d 7 bytes JMP 00000001000f06b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!PostMessageW 0000000075c112a5 5 bytes JMP 00000001000f05f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!ScreenToClient 0000000075c1227d 7 bytes JMP 00000001000f0670 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!MonitorFromWindow 0000000075c13150 7 bytes JMP 00000001000f0630 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!UnhookWinEvent 0000000075c13982 5 bytes JMP 00000001001003fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!SetCursor 0000000075c141f6 5 bytes JMP 00000001000f0530 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!GetClipboardFormatNameA 0000000075c168ef 5 bytes JMP 00000001000f0270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000075c17603 5 bytes JMP 0000000100100804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!GetClipboardFormatNameW 0000000075c177fa 5 bytes JMP 00000001000f0230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!GetTopWindow 0000000075c17887 7 bytes JMP 00000001000f0730 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 0000000075c1835c 5 bytes JMP 0000000100100600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!IsClipboardFormatAvailable 0000000075c18676 5 bytes JMP 00000001000f00f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!GetClipboardSequenceNumber 0000000075c18696 5 bytes JMP 00000001000f0330 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!CloseClipboard 0000000075c18e8d 5 bytes JMP 00000001000f00b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!OpenClipboard 0000000075c18ecb 5 bytes JMP 00000001000f0070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!ChangeClipboardChain 0000000075c1c17b 5 bytes JMP 00000001000f0430 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!EnumClipboardFormats 0000000075c1c449 5 bytes JMP 00000001000f01b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!GetOpenClipboardWindow 0000000075c1c468 5 bytes JMP 00000001000f03f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!CountClipboardFormats 0000000075c1c486 5 bytes JMP 00000001000f01f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!SetClipboardViewer 0000000075c1c4b6 5 bytes JMP 00000001000f04b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!ActivateKeyboardLayout 0000000075c1d6c0 5 bytes JMP 00000001000f04f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!GetClipboardOwner 0000000075c1e360 5 bytes JMP 00000001000f0370 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!UnhookWindowsHookEx 0000000075c2f52b 5 bytes JMP 0000000100100a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!SetClipboardData 0000000075c48e57 5 bytes JMP 00000001000f0170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!SetCursorPos 0000000075c49cfd 5 bytes JMP 00000001000f0770 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!GetClipboardData 0000000075c49f1d 5 bytes JMP 00000001000f0030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!EmptyClipboard 0000000075c67cb9 5 bytes JMP 00000001000f0130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!GetClipboardViewer 0000000075c68111 5 bytes JMP 00000001000f0470 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\user32.DLL!GetPriorityClipboardFormat 0000000075c6832f 5 bytes JMP 00000001000f03b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!GetDeviceCaps 00000000750b4de0 5 bytes JMP 00000001001103b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!SelectObject 00000000750b4f70 5 bytes JMP 00000001001105f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!SetBkMode 00000000750b51a2 5 bytes JMP 00000001001108f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!SetTextColor 00000000750b522d 5 bytes JMP 0000000100110a30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!DeleteObject 00000000750b5689 5 bytes JMP 00000001001101b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000750b58b3 5 bytes JMP 0000000100110170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!GetCurrentObject 00000000750b6bad 5 bytes JMP 0000000100110370 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!SaveDC 00000000750b6e05 5 bytes JMP 0000000100110570 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!RestoreDC 00000000750b6ead 5 bytes JMP 0000000100110530 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!SetStretchBltMode 00000000750b7180 5 bytes JMP 00000001001106b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!StretchDIBits 00000000750b7435 5 bytes JMP 0000000100110770 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000750b7bcc 5 bytes JMP 00000001001100b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!IntersectClipRect 00000000750b7dc4 5 bytes JMP 00000001001103f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!GetTextAlign 00000000750b7fd5 5 bytes JMP 0000000100110d70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!GetTextMetricsW 00000000750b82b2 5 bytes JMP 0000000100110e30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!SetTextAlign 00000000750b8401 5 bytes JMP 00000001001109f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!ExtSelectClipRgn 00000000750b879f 5 bytes JMP 00000001001102f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!SelectClipRgn 00000000750b8916 5 bytes JMP 00000001001105b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!ExtTextOutW 00000000750b8b7a 5 bytes JMP 0000000100110970 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!MoveToEx 00000000750b8ee6 5 bytes JMP 0000000100110470 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!GetFontData 00000000750b9875 5 bytes JMP 0000000100110c70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!GetTextFaceW 00000000750b9936 5 bytes JMP 0000000100110d30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!Rectangle 00000000750ba53a 5 bytes JMP 00000001001109b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!GetClipBox 00000000750baf9f 5 bytes JMP 0000000100110330 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!LineTo 00000000750bb9e5 5 bytes JMP 0000000100110430 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!SetICMMode 00000000750bbd55 5 bytes JMP 0000000100110db0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!CreateICW 00000000750bc040 5 bytes JMP 0000000100110130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!GetTextExtentPoint32W 00000000750bc107 5 bytes JMP 0000000100110670 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!SetWorldTransform 00000000750bc269 5 bytes JMP 00000001001106f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!GetTextMetricsA 00000000750bd1f1 5 bytes JMP 0000000100110df0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!GetTextExtentPoint32A 00000000750bd349 5 bytes JMP 0000000100110630 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!ExtTextOutA 00000000750bdce4 5 bytes JMP 0000000100110930 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000750be743 5 bytes JMP 00000001001100f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!ExtEscape 00000000750c03b7 5 bytes JMP 00000001001102b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!Escape 00000000750c1bda 5 bytes JMP 0000000100110270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!GetTextFaceA 00000000750c1e89 5 bytes JMP 0000000100110cf0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!SetPolyFillMode 00000000750c4843 5 bytes JMP 0000000100110b30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!SetMiterLimit 00000000750c5690 5 bytes JMP 0000000100110b70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!EndPage 00000000750c6bde 5 bytes JMP 0000000100110230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!ResetDCW 00000000750ce2db 5 bytes JMP 0000000100110ab0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!GetGlyphOutlineW 00000000750d940d 5 bytes JMP 0000000100110cb0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!CreateScalableFontResourceW 00000000750dc621 5 bytes JMP 0000000100110bb0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!AddFontResourceW 00000000750dd2b2 5 bytes JMP 0000000100110bf0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!RemoveFontResourceW 00000000750dd919 5 bytes JMP 0000000100110c30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!AbortDoc 00000000750e3adc 5 bytes JMP 0000000100110030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!EndDoc 00000000750e3f29 5 bytes JMP 00000001001101f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!StartPage 00000000750e401a 5 bytes JMP 0000000100110730 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!StartDocW 00000000750e4c51 5 bytes JMP 00000001001107f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!BeginPath 00000000750e53fd 5 bytes JMP 0000000100110830 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!SelectClipPath 00000000750e5454 5 bytes JMP 0000000100110af0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!CloseFigure 00000000750e54af 5 bytes JMP 0000000100110070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!EndPath 00000000750e5506 5 bytes JMP 0000000100110a70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!StrokePath 00000000750e573f 5 bytes JMP 00000001001107b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!FillPath 00000000750e57d2 5 bytes JMP 0000000100110870 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!PolylineTo 00000000750e5c44 5 bytes JMP 00000001001104f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!PolyBezierTo 00000000750e5cd5 5 bytes JMP 00000001001104b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\GDI32.dll!PolyDraw 00000000750e5d87 5 bytes JMP 00000001001108b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 00000001001d1014 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 00000001001d0804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 00000001001d0a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 00000001001d0c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 00000001001d0e10 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001001d01f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001001d03fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 00000001001d0600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\SspiCli.dll!FreeContextBuffer 0000000074b59606 5 bytes JMP 00000001001e00f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\SspiCli.dll!FreeCredentialsHandle 0000000074b60581 5 bytes JMP 00000001001e0130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\SspiCli.dll!DeleteSecurityContext 0000000074b60bb9 5 bytes JMP 00000001001e0270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\SspiCli.dll!ApplyControlToken 0000000074b60c2e 5 bytes JMP 00000001001e01b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\SspiCli.dll!QueryContextAttributesA 0000000074b60f2e 5 bytes JMP 00000001001e0070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\SspiCli.dll!QueryCredentialsAttributesA 0000000074b61096 5 bytes JMP 00000001001e00b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074b6124e 5 bytes JMP 00000001001e01f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\SspiCli.dll!DecryptMessage 0000000074b6129d 5 bytes JMP 00000001001e0230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\SspiCli.dll!AcquireCredentialsHandleA 0000000074b61527 5 bytes JMP 00000001001e0030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\SspiCli.dll!InitializeSecurityContextA 0000000074b61590 5 bytes JMP 00000001001e0170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\ole32.dll!OleSetClipboard 00000000758f0045 5 bytes JMP 0000000100300030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\ole32.dll!OleIsCurrentClipboard 00000000758f36b2 5 bytes JMP 0000000100300070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\ole32.dll!OleGetClipboard 000000007591fdcd 5 bytes JMP 00000001003000b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d81465 2 bytes [D8, 74] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[4404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d814bb 2 bytes [D8, 74] .text ... * 2 .text C:\Program Files\Sony\VAIO Care\Admload.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f23ae0 5 bytes JMP 000000010060075c .text C:\Program Files\Sony\VAIO Care\Admload.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076f27a90 5 bytes JMP 00000001006003a4 .text C:\Program Files\Sony\VAIO Care\Admload.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076f51490 5 bytes JMP 0000000100600b14 .text C:\Program Files\Sony\VAIO Care\Admload.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076f514f0 5 bytes JMP 0000000100600ecc .text C:\Program Files\Sony\VAIO Care\Admload.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f515d0 5 bytes JMP 000000010060163c .text C:\Program Files\Sony\VAIO Care\Admload.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076f51810 5 bytes JMP 0000000100601284 .text C:\Program Files\Sony\VAIO Care\Admload.exe[6108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f52840 5 bytes JMP 00000001006019f4 .text C:\Program Files\Sony\VAIO Care\Admload.exe[6108] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076e3eecd 1 byte [62] .text C:\Program Files\Sony\VAIO Care\Admload.exe[6108] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd686e00 5 bytes JMP 000007ff7d6a1dac .text C:\Program Files\Sony\VAIO Care\Admload.exe[6108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd686f2c 5 bytes JMP 000007ff7d6a0ecc .text C:\Program Files\Sony\VAIO Care\Admload.exe[6108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd687220 5 bytes JMP 000007ff7d6a1284 .text C:\Program Files\Sony\VAIO Care\Admload.exe[6108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd68739c 5 bytes JMP 000007ff7d6a163c .text C:\Program Files\Sony\VAIO Care\Admload.exe[6108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd687538 5 bytes JMP 000007ff7d6a19f4 .text C:\Program Files\Sony\VAIO Care\Admload.exe[6108] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd6875e8 5 bytes JMP 000007ff7d6a03a4 .text C:\Program Files\Sony\VAIO Care\Admload.exe[6108] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd68790c 5 bytes JMP 000007ff7d6a075c .text C:\Program Files\Sony\VAIO Care\Admload.exe[6108] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd687ab4 5 bytes JMP 000007ff7d6a0b14 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f513c0 5 bytes JMP 00000000770b0470 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f51410 5 bytes JMP 00000000770b0460 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51570 5 bytes JMP 00000000770b0370 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f515c0 5 bytes JMP 00000000770b0480 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f515d0 5 bytes JMP 00000000770b03e0 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51680 5 bytes JMP 00000000770b0320 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f516b0 5 bytes JMP 00000000770b03b0 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f516d0 5 bytes JMP 00000000770b0390 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f51710 5 bytes JMP 00000000770b02e0 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f51760 5 bytes JMP 00000000770b0440 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51790 5 bytes JMP 00000000770b02d0 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f517b0 5 bytes JMP 00000000770b0310 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f517f0 5 bytes JMP 00000000770b03c0 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f51840 5 bytes JMP 00000000770b03f0 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f519a0 1 byte JMP 00000000770b0230 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f519a2 3 bytes {JMP 0x15e890} .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b60 5 bytes JMP 00000000770b0490 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b90 5 bytes JMP 00000000770b03a0 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c70 5 bytes JMP 00000000770b02f0 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c80 5 bytes JMP 00000000770b0350 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51ce0 5 bytes JMP 00000000770b0290 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d70 5 bytes JMP 00000000770b02b0 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d90 5 bytes JMP 00000000770b03d0 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51da0 1 byte JMP 00000000770b0330 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f51da2 3 bytes {JMP 0x15e590} .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51e10 5 bytes JMP 00000000770b0410 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51e40 5 bytes JMP 00000000770b0240 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f52100 5 bytes JMP 00000000770b01e0 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f521c0 1 byte JMP 00000000770b0250 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f521c2 3 bytes {JMP 0x15e090} .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f521f0 5 bytes JMP 00000000770b04a0 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f52200 5 bytes JMP 00000000770b04b0 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f52230 5 bytes JMP 00000000770b0300 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f52240 5 bytes JMP 00000000770b0360 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f522a0 5 bytes JMP 00000000770b02a0 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f522f0 5 bytes JMP 00000000770b02c0 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f52320 5 bytes JMP 00000000770b0380 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f52330 5 bytes JMP 00000000770b0340 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f52620 5 bytes JMP 00000000770b0450 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f52820 5 bytes JMP 00000000770b0260 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f52830 5 bytes JMP 00000000770b0270 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f52840 5 bytes JMP 00000000770b0400 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f52a00 5 bytes JMP 00000000770b01f0 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f52a10 5 bytes JMP 00000000770b0210 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a80 5 bytes JMP 00000000770b0200 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52ae0 5 bytes JMP 00000000770b0420 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52af0 5 bytes JMP 00000000770b0430 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52b00 5 bytes JMP 00000000770b0220 .text C:\Windows\notepad.exe[6908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52be0 5 bytes JMP 00000000770b0280 .text C:\Windows\notepad.exe[6908] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e3eecd 1 byte [62] .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f513c0 5 bytes JMP 00000000770b0470 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f51410 5 bytes JMP 00000000770b0460 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51570 5 bytes JMP 00000000770b0370 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f515c0 5 bytes JMP 00000000770b0480 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f515d0 5 bytes JMP 00000000770b03e0 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51680 5 bytes JMP 00000000770b0320 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f516b0 5 bytes JMP 00000000770b03b0 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f516d0 5 bytes JMP 00000000770b0390 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f51710 5 bytes JMP 00000000770b02e0 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f51760 5 bytes JMP 00000000770b0440 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51790 5 bytes JMP 00000000770b02d0 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f517b0 5 bytes JMP 00000000770b0310 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f517f0 5 bytes JMP 00000000770b03c0 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f51840 5 bytes JMP 00000000770b03f0 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f519a0 1 byte JMP 00000000770b0230 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f519a2 3 bytes {JMP 0x15e890} .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b60 5 bytes JMP 00000000770b0490 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b90 5 bytes JMP 00000000770b03a0 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c70 5 bytes JMP 00000000770b02f0 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c80 5 bytes JMP 00000000770b0350 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51ce0 5 bytes JMP 00000000770b0290 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d70 5 bytes JMP 00000000770b02b0 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d90 5 bytes JMP 00000000770b03d0 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51da0 1 byte JMP 00000000770b0330 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f51da2 3 bytes {JMP 0x15e590} .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51e10 5 bytes JMP 00000000770b0410 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51e40 5 bytes JMP 00000000770b0240 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f52100 5 bytes JMP 00000000770b01e0 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f521c0 1 byte JMP 00000000770b0250 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f521c2 3 bytes {JMP 0x15e090} .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f521f0 5 bytes JMP 00000000770b04a0 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f52200 5 bytes JMP 00000000770b04b0 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f52230 5 bytes JMP 00000000770b0300 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f52240 5 bytes JMP 00000000770b0360 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f522a0 5 bytes JMP 00000000770b02a0 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f522f0 5 bytes JMP 00000000770b02c0 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f52320 5 bytes JMP 00000000770b0380 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f52330 5 bytes JMP 00000000770b0340 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f52620 5 bytes JMP 00000000770b0450 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f52820 5 bytes JMP 00000000770b0260 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f52830 5 bytes JMP 00000000770b0270 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f52840 5 bytes JMP 00000000770b0400 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f52a00 5 bytes JMP 00000000770b01f0 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f52a10 5 bytes JMP 00000000770b0210 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a80 5 bytes JMP 00000000770b0200 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52ae0 5 bytes JMP 00000000770b0420 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52af0 5 bytes JMP 00000000770b0430 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52b00 5 bytes JMP 00000000770b0220 .text C:\Windows\notepad.exe[5640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52be0 5 bytes JMP 00000000770b0280 .text C:\Windows\notepad.exe[5640] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e3eecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f513c0 5 bytes JMP 00000000770b0470 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f51410 5 bytes JMP 00000000770b0460 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f51570 5 bytes JMP 00000000770b0370 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f515c0 5 bytes JMP 00000000770b0480 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f515d0 5 bytes JMP 00000000770b03e0 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f51680 5 bytes JMP 00000000770b0320 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f516b0 5 bytes JMP 00000000770b03b0 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f516d0 5 bytes JMP 00000000770b0390 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f51710 5 bytes JMP 00000000770b02e0 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f51760 5 bytes JMP 00000000770b0440 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f51790 5 bytes JMP 00000000770b02d0 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f517b0 5 bytes JMP 00000000770b0310 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f517f0 5 bytes JMP 00000000770b03c0 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f51840 5 bytes JMP 00000000770b03f0 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f519a0 1 byte JMP 00000000770b0230 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f51b60 5 bytes JMP 00000000770b0490 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f51b90 5 bytes JMP 00000000770b03a0 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f51c70 5 bytes JMP 00000000770b02f0 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f51c80 5 bytes JMP 00000000770b0350 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f51ce0 5 bytes JMP 00000000770b0290 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f51d70 5 bytes JMP 00000000770b02b0 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f51d90 5 bytes JMP 00000000770b03d0 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f51da0 1 byte JMP 00000000770b0330 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f51e10 5 bytes JMP 00000000770b0410 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f51e40 5 bytes JMP 00000000770b0240 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f52100 5 bytes JMP 00000000770b01e0 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f521c0 1 byte JMP 00000000770b0250 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f521f0 5 bytes JMP 00000000770b04a0 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f52200 5 bytes JMP 00000000770b04b0 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f52230 5 bytes JMP 00000000770b0300 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f52240 5 bytes JMP 00000000770b0360 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f522a0 5 bytes JMP 00000000770b02a0 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f522f0 5 bytes JMP 00000000770b02c0 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f52320 5 bytes JMP 00000000770b0380 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f52330 5 bytes JMP 00000000770b0340 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f52620 5 bytes JMP 00000000770b0450 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f52820 5 bytes JMP 00000000770b0260 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f52830 5 bytes JMP 00000000770b0270 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f52840 5 bytes JMP 00000000770b0400 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f52a00 5 bytes JMP 00000000770b01f0 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f52a10 5 bytes JMP 00000000770b0210 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f52a80 5 bytes JMP 00000000770b0200 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f52ae0 5 bytes JMP 00000000770b0420 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f52af0 5 bytes JMP 00000000770b0430 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f52b00 5 bytes JMP 00000000770b0220 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f52be0 5 bytes JMP 00000000770b0280 .text C:\Windows\system32\AUDIODG.EXE[4640] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 0000000076e3eecd 1 byte [62] .text C:\Users\Zosia\Downloads\1bf36rgn.exe[1632] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a2a30a 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [928:3644] 000007fef8202154 Thread C:\Windows\system32\svchost.exe [472:5824] 000007fef4720ea8 Thread C:\Windows\system32\svchost.exe [472:5828] 000007fef4719db0 Thread C:\Windows\system32\svchost.exe [472:5920] 000007fef471aa10 Thread C:\Windows\system32\svchost.exe [472:5936] 000007fef4721c94 Thread C:\Windows\system32\svchost.exe [472:7132] 000007fef293d3c8 Thread C:\Windows\system32\svchost.exe [472:7136] 000007fef293d3c8 Thread C:\Windows\system32\svchost.exe [472:7140] 000007fef293d3c8 Thread C:\Windows\system32\svchost.exe [472:7144] 000007fef293d3c8 Thread C:\Windows\system32\svchost.exe [708:3880] 000007fef4fd84d8 Thread C:\Windows\system32\svchost.exe [708:1548] 000007fef4f923a8 Thread C:\Windows\system32\svchost.exe [708:4100] 000007fef5030d00 Thread C:\Windows\system32\svchost.exe [708:4108] 000007fef4e29498 Thread C:\Windows\system32\svchost.exe [708:480] 000007fef5df5124 Thread C:\Windows\system32\svchost.exe [708:4756] 000007fef128506c Thread C:\Windows\system32\svchost.exe [708:6304] 000007fef1321c20 Thread C:\Windows\system32\svchost.exe [708:4348] 000007fef1321c20 Thread C:\Windows\system32\svchost.exe [708:4168] 000007fef65a1ab0 Thread C:\Windows\system32\svchost.exe [708:4936] 000007fef6644164 Thread C:\Windows\system32\svchost.exe [1088:1244] 000007fefa788274 Thread C:\Windows\system32\svchost.exe [1088:1596] 000007fefa788274 Thread C:\Windows\system32\svchost.exe [1172:3000] 000007fef5ebbd88 Thread C:\Windows\system32\svchost.exe [1172:3360] 000007fef5a783d8 Thread C:\Windows\system32\svchost.exe [1172:3364] 000007fef5a783d8 Thread C:\Windows\system32\svchost.exe [1172:3368] 000007fef5a783d8 Thread C:\Windows\system32\svchost.exe [1172:3372] 000007fef5a783d8 Thread C:\Windows\system32\svchost.exe [1172:3388] 000007fef59a00cc Thread C:\Windows\system32\svchost.exe [1172:3444] 000007fef5df5124 Thread C:\Windows\system32\svchost.exe [1172:4076] 000007fef4f23f1c Thread C:\Windows\system32\svchost.exe [1172:1560] 000007fef99c1a38 Thread C:\Windows\system32\svchost.exe [1172:1556] 000007fef99b5388 Thread C:\Windows\system32\svchost.exe [1172:1440] 000007fef4e67738 Thread C:\Windows\system32\svchost.exe [1172:1536] 000007fef4e51f90 Thread C:\Windows\system32\svchost.exe [1172:1064] 000007fef79b5170 Thread C:\Windows\system32\WLANExt.exe [1348:1396] 00000000001d8684 Thread C:\Windows\system32\WLANExt.exe [1348:1400] 00000000001d8684 Thread C:\Windows\System32\spoolsv.exe [1876:2320] 000007fef6e910c8 Thread C:\Windows\System32\spoolsv.exe [1876:2372] 000007fef6e56144 Thread C:\Windows\System32\spoolsv.exe [1876:2376] 000007fef6c45fd0 Thread C:\Windows\System32\spoolsv.exe [1876:2384] 000007fef6c33438 Thread C:\Windows\System32\spoolsv.exe [1876:2388] 000007fef6c463ec Thread C:\Windows\System32\spoolsv.exe [1876:2404] 000007fef7045e5c Thread C:\Windows\System32\spoolsv.exe [1876:2408] 000007fef7075074 Thread C:\Windows\System32\spoolsv.exe [1876:4176] 000007fef70e2288 Thread C:\Windows\system32\svchost.exe [1912:2804] 000007fef64f35c0 Thread C:\Windows\system32\svchost.exe [1912:5192] 000007fef64f5600 Thread C:\Windows\system32\svchost.exe [1912:5404] 000007fef1ee2888 Thread C:\Windows\system32\svchost.exe [1912:5720] 000007fef0932940 Thread C:\Windows\system32\taskhost.exe [1944:1988] 000007fef82c2740 Thread C:\Windows\system32\taskhost.exe [1944:2024] 000007fef8271f38 Thread C:\Windows\system32\taskhost.exe [1944:1668] 000007fefa411010 Thread C:\Windows\system32\taskhost.exe [1944:1392] 000007fef79b5170 Thread C:\Windows\system32\svchost.exe [2736:2932] 000007fef6c45fd0 Thread C:\Windows\system32\svchost.exe [2736:2936] 000007fef6c463ec Thread C:\Windows\system32\svchost.exe [2736:3424] 000007fef5d08470 Thread C:\Windows\system32\svchost.exe [2736:3428] 000007fef5d12418 Thread C:\Windows\system32\svchost.exe [2736:4580] 000007fef48e4734 Thread C:\Windows\system32\svchost.exe [2736:6652] 000007fef48ef130 Thread C:\Windows\system32\svchost.exe [2736:2216] 000007fef48e4734 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:2952] 0000000077133e45 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:2988] 0000000077132e25 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4304] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4308] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4312] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4316] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4320] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4324] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4328] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4332] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4336] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4340] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4368] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4372] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4376] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4384] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4388] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4400] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4408] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4480] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4484] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4512] 0000000077133e45 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:6576] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:824] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4616] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:6892] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:1056] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:1516] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:4784] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:6284] 0000000071d329e1 Thread c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2852:1492] 0000000071d329e1 Thread C:\Windows\SysWOW64\DllHost.exe [3972:4056] 00000000708d28f0 Thread C:\Windows\SysWOW64\DllHost.exe [3992:4072] 0000000070262570 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5584:6352] 000007fefb382a7c ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???i????????v2.10|Action=Block|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\program files (x86)\wa-pro\wf-mag\wfmag.exe|Name=Program WF-Mag|Desc=Program WF-Mag|?i??????}???? ?????????????????????0????????????&????????????????????????????????????????????s??? ???????i??????????????????? ???????i???????i???????t??? ???????|???????????k?:????????????&????????????????????&????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????@FirewallAPI.dll,-23505???????@FirewallAPI.dll,-23506??????????????????????????????????????????????????????????????? ??????????? ????(??????P????????????(??????P????????????(??????P????????????(??????P????????????(??????P????????????(??????P?????????????P???????????????????????????????????????v2.10|Action=Allow|Active=FALSE|Dir=Out|Protocol=6|Profile=Domain|RPort=2177|App=%SystemRoot%\system32\svchost.exe|Svc=Qwave|Name=@FirewallAPI.dll,-31265|Desc=@FirewallAPI.dll,-31268|EmbedCtxt=@FirewallAPI.dll,-31252|???USBSTOR???? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 4191 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition3\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 11 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000bd5c8df8b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9439e59dc87c Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ccaf78d4af20 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 2 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 4191 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition3\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 11 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 3 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000bd5c8df8b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9439e59dc87c (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ccaf78d4af20 (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\Users\Zosia\AppData\Roaming\Adobe\Acrobat\10.0\JSCache\GlobSettings 24 bytes ---- EOF - GMER 2.1 ----