GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-20 12:16:39 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK5056GSY rev.LH003D 465,76GB Running: dix06cox.exe; Driver: C:\Users\DELL\AppData\Local\Temp\aftciaob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 000000014a210470 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 000000014a210460 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 000000014a210370 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 000000014a210480 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 000000014a2103e0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 000000014a210320 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 000000014a2103b0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 000000014a210390 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 000000014a2102e0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 000000014a210440 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 000000014a2102d0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 000000014a210310 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 000000014a2103c0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 000000014a2103f0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 000000014a210230 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0xffffffffd2d8e890} .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 000000014a210490 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 000000014a2103a0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 000000014a2102f0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 000000014a210350 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 000000014a210290 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 000000014a2102b0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 000000014a2103d0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 000000014a210330 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0xffffffffd2d8e590} .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 000000014a210410 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 000000014a210240 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 000000014a2101e0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 000000014a210250 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0xffffffffd2d8e090} .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 000000014a2104a0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 000000014a2104b0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 000000014a210300 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 000000014a210360 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 000000014a2102a0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 000000014a2102c0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 000000014a210380 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 000000014a210340 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 000000014a210450 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 000000014a210260 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 000000014a210270 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 000000014a210400 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 000000014a2101f0 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 000000014a210210 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 000000014a210200 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 000000014a210420 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 000000014a210430 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 000000014a210220 .text C:\Windows\system32\csrss.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 000000014a210280 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\wininit.exe[492] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 000000014a210470 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 000000014a210460 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 000000014a210370 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 000000014a210480 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 000000014a2103e0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 000000014a210320 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 000000014a2103b0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 000000014a210390 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 000000014a2102e0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 000000014a210440 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 000000014a2102d0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 000000014a210310 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 000000014a2103c0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 000000014a2103f0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 000000014a210230 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0xffffffffd2d8e890} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 000000014a210490 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 000000014a2103a0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 000000014a2102f0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 000000014a210350 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 000000014a210290 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 000000014a2102b0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 000000014a2103d0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 000000014a210330 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0xffffffffd2d8e590} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 000000014a210410 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 000000014a210240 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 000000014a2101e0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 000000014a210250 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0xffffffffd2d8e090} .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 000000014a2104a0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 000000014a2104b0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 000000014a210300 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 000000014a210360 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 000000014a2102a0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 000000014a2102c0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 000000014a210380 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 000000014a210340 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 000000014a210450 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 000000014a210260 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 000000014a210270 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 000000014a210400 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 000000014a2101f0 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 000000014a210210 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 000000014a210200 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 000000014a210420 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 000000014a210430 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 000000014a210220 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 000000014a210280 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\services.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\services.exe[556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\winlogon.exe[676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\svchost.exe[744] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\svchost.exe[744] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\atiesrxx.exe[900] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\System32\svchost.exe[960] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\System32\svchost.exe[1000] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\svchost.exe[352] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\svchost.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\svchost.exe[440] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\STacSV64.exe[548] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\atieclxx.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE[1388] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\WLANExt.exe[1396] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe[1476] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\System32\spoolsv.exe[1644] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\svchost.exe[1692] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1800] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e3a30a 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\hasplms.exe[1992] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e3a30a 1 byte [62] .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 0000000100060470 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 0000000100060460 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 0000000100060370 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 0000000100060480 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000001000603e0 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 0000000100060320 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000001000603b0 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 0000000100060390 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000001000602e0 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 0000000100060440 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000001000602d0 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 0000000100060310 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000001000603c0 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000001000603f0 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 0000000100060230 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0xffffffff88bde890} .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 0000000100060490 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000001000603a0 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000001000602f0 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 0000000100060350 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 0000000100060290 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000001000602b0 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000001000603d0 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 0000000100060330 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0xffffffff88bde590} .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 0000000100060410 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 0000000100060240 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000001000601e0 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 0000000100060250 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0xffffffff88bde090} .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000001000604a0 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000001000604b0 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 0000000100060300 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 0000000100060360 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000001000602a0 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000001000602c0 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 0000000100060380 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 0000000100060340 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 0000000100060450 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 0000000100060260 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 0000000100060270 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 0000000100060400 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000001000601f0 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 0000000100060210 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 0000000100060200 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 0000000100060420 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 0000000100060430 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 0000000100060220 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 0000000100060280 .text C:\Windows\system32\taskhost.exe[1512] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000000775e03e0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000000775e0400 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\Explorer.EXE[2080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\Explorer.EXE[2080] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2168] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e3a30a 1 byte [62] .text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2444] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e3a30a 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2520] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e3a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2528] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e3a30a 1 byte [62] .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007762faa0 5 bytes JMP 0000000100030600 .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007762fb38 5 bytes JMP 0000000100030804 .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007762fc90 5 bytes JMP 0000000100030c0c .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077630018 5 bytes JMP 0000000100030a08 .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077631900 5 bytes JMP 0000000100030e10 .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007764c45a 5 bytes JMP 00000001000301f8 .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077651217 5 bytes JMP 00000001000303fc .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076e3a30a 1 byte [62] .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077125181 5 bytes JMP 0000000100241014 .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077125254 5 bytes JMP 0000000100240804 .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000771253d5 5 bytes JMP 0000000100240a08 .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000771254c2 5 bytes JMP 0000000100240c0c .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000771255e2 5 bytes JMP 0000000100240e10 .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007712567c 5 bytes JMP 00000001002401f8 .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007712589f 5 bytes JMP 00000001002403fc .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077125a22 5 bytes JMP 0000000100240600 .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076f2ee09 5 bytes JMP 00000001002501f8 .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076f33982 5 bytes JMP 00000001002503fc .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076f37603 5 bytes JMP 0000000100250804 .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076f3835c 5 bytes JMP 0000000100250600 .text C:\Windows\system32\DRIVERS\o2flash.exe[2456] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076f4f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077453ae0 5 bytes JMP 000000010055075c .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077457a90 5 bytes JMP 00000001005503a4 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077481490 5 bytes JMP 0000000100550b14 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000774814f0 5 bytes JMP 0000000100550ecc .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 000000010055163c .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077481810 5 bytes JMP 0000000100551284 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000001005519f4 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1a6e00 5 bytes JMP 000007ff7e1c1dac .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1a6f2c 5 bytes JMP 000007ff7e1c0ecc .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1a7220 5 bytes JMP 000007ff7e1c1284 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1a739c 5 bytes JMP 000007ff7e1c163c .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1a7538 5 bytes JMP 000007ff7e1c19f4 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1a75e8 5 bytes JMP 000007ff7e1c03a4 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1a790c 5 bytes JMP 000007ff7e1c075c .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1072] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1a7ab4 5 bytes JMP 000007ff7e1c0b14 .text C:\Windows\system32\svchost.exe[2840] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1a6e00 5 bytes JMP 000007ff7e1c1dac .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1a6f2c 5 bytes JMP 000007ff7e1c0ecc .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1a7220 5 bytes JMP 000007ff7e1c1284 .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1a739c 5 bytes JMP 000007ff7e1c163c .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1a7538 5 bytes JMP 000007ff7e1c19f4 .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1a75e8 5 bytes JMP 000007ff7e1c03a4 .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1a790c 5 bytes JMP 000007ff7e1c075c .text C:\Windows\system32\svchost.exe[2840] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1a7ab4 5 bytes JMP 000007ff7e1c0b14 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077453ae0 5 bytes JMP 000000010039075c .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077457a90 5 bytes JMP 00000001003903a4 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077481490 5 bytes JMP 0000000100390b14 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000774814f0 5 bytes JMP 0000000100390ecc .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 000000010039163c .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077481810 5 bytes JMP 0000000100391284 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000001003919f4 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1a6e00 5 bytes JMP 000007ff7e1c1dac .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1a6f2c 5 bytes JMP 000007ff7e1c0ecc .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1a7220 5 bytes JMP 000007ff7e1c1284 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1a739c 5 bytes JMP 000007ff7e1c163c .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1a7538 5 bytes JMP 000007ff7e1c19f4 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1a75e8 5 bytes JMP 000007ff7e1c03a4 .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1a790c 5 bytes JMP 000007ff7e1c075c .text C:\Windows\System32\svchost.exe[2564] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1a7ab4 5 bytes JMP 000007ff7e1c0b14 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077453ae0 5 bytes JMP 00000001002f075c .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077457a90 5 bytes JMP 00000001002f03a4 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077481490 5 bytes JMP 00000001002f0b14 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000774814f0 5 bytes JMP 00000001002f0ecc .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000001002f163c .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077481810 5 bytes JMP 00000001002f1284 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000001002f19f4 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1a6e00 5 bytes JMP 000007ff7e1c1dac .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1a6f2c 5 bytes JMP 000007ff7e1c0ecc .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1a7220 5 bytes JMP 000007ff7e1c1284 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1a739c 5 bytes JMP 000007ff7e1c163c .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1a7538 5 bytes JMP 000007ff7e1c19f4 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1a75e8 5 bytes JMP 000007ff7e1c03a4 .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1a790c 5 bytes JMP 000007ff7e1c075c .text C:\Windows\system32\SearchIndexer.exe[3212] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1a7ab4 5 bytes JMP 000007ff7e1c0b14 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077453ae0 5 bytes JMP 000000010028075c .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077457a90 5 bytes JMP 00000001002803a4 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077481490 5 bytes JMP 0000000100280b14 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000774814f0 5 bytes JMP 0000000100280ecc .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 000000010028163c .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077481810 5 bytes JMP 0000000100281284 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000001002819f4 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1a6e00 5 bytes JMP 000007ff7e1c1dac .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1a6f2c 5 bytes JMP 000007ff7e1c0ecc .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1a7220 5 bytes JMP 000007ff7e1c1284 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1a739c 5 bytes JMP 000007ff7e1c163c .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1a7538 5 bytes JMP 000007ff7e1c19f4 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1a75e8 5 bytes JMP 000007ff7e1c03a4 .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1a790c 5 bytes JMP 000007ff7e1c075c .text C:\Windows\system32\svchost.exe[3412] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1a7ab4 5 bytes JMP 000007ff7e1c0b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3760] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077453ae0 5 bytes JMP 00000001001e075c .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077457a90 5 bytes JMP 00000001001e03a4 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774813c0 5 bytes JMP 00000000775e0470 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077481410 5 bytes JMP 00000000775e0460 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077481490 5 bytes JMP 00000001001e0b14 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000774814f0 5 bytes JMP 00000001001e0ecc .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481570 5 bytes JMP 00000000775e0370 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774815c0 5 bytes JMP 00000000775e0480 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774815d0 5 bytes JMP 00000001001e163c .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481680 5 bytes JMP 00000000775e0320 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774816b0 5 bytes JMP 00000000775e03b0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000774816d0 5 bytes JMP 00000000775e0390 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077481710 5 bytes JMP 00000000775e02e0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077481760 5 bytes JMP 00000000775e0440 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481790 5 bytes JMP 00000000775e02d0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774817b0 5 bytes JMP 00000000775e0310 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774817f0 5 bytes JMP 00000000775e03c0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077481810 5 bytes JMP 00000001001e1284 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077481840 5 bytes JMP 00000000775e03f0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774819a0 1 byte JMP 00000000775e0230 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774819a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b60 5 bytes JMP 00000000775e0490 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b90 5 bytes JMP 00000000775e03a0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c70 5 bytes JMP 00000000775e02f0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c80 5 bytes JMP 00000000775e0350 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481ce0 5 bytes JMP 00000000775e0290 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d70 5 bytes JMP 00000000775e02b0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d90 5 bytes JMP 00000000775e03d0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481da0 1 byte JMP 00000000775e0330 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077481da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481e10 5 bytes JMP 00000000775e0410 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481e40 5 bytes JMP 00000000775e0240 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077482100 5 bytes JMP 00000000775e01e0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774821c0 1 byte JMP 00000000775e0250 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774821c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774821f0 5 bytes JMP 00000000775e04a0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077482200 5 bytes JMP 00000000775e04b0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077482230 5 bytes JMP 00000000775e0300 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077482240 5 bytes JMP 00000000775e0360 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774822a0 5 bytes JMP 00000000775e02a0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774822f0 5 bytes JMP 00000000775e02c0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077482320 5 bytes JMP 00000000775e0380 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077482330 5 bytes JMP 00000000775e0340 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077482620 5 bytes JMP 00000000775e0450 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077482820 5 bytes JMP 00000000775e0260 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077482830 5 bytes JMP 00000000775e0270 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077482840 5 bytes JMP 00000001001e19f4 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077482a00 5 bytes JMP 00000000775e01f0 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077482a10 5 bytes JMP 00000000775e0210 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a80 5 bytes JMP 00000000775e0200 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482ae0 5 bytes JMP 00000000775e0420 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482af0 5 bytes JMP 00000000775e0430 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482b00 5 bytes JMP 00000000775e0220 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482be0 5 bytes JMP 00000000775e0280 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1a6e00 5 bytes JMP 000007ff7e1c1dac .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1a6f2c 5 bytes JMP 000007ff7e1c0ecc .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1a7220 5 bytes JMP 000007ff7e1c1284 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1a739c 5 bytes JMP 000007ff7e1c163c .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1a7538 5 bytes JMP 000007ff7e1c19f4 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1a75e8 5 bytes JMP 000007ff7e1c03a4 .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1a790c 5 bytes JMP 000007ff7e1c075c .text C:\Windows\System32\svchost.exe[4012] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1a7ab4 5 bytes JMP 000007ff7e1c0b14 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007762faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007762fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007762fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077630018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077631900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007764c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077651217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076e3a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077125181 5 bytes JMP 00000001001d1014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077125254 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000771253d5 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000771254c2 5 bytes JMP 00000001001d0c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000771255e2 5 bytes JMP 00000001001d0e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007712567c 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007712589f 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077125a22 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000076f2ee09 5 bytes JMP 00000001001e01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076f33982 5 bytes JMP 00000001001e03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076f37603 5 bytes JMP 00000001001e0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076f3835c 5 bytes JMP 00000001001e0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4556] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076f4f52b 5 bytes JMP 00000001001e0a08 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1a6e00 5 bytes JMP 000007ff7e1c1dac .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1a6f2c 5 bytes JMP 000007ff7e1c0ecc .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1a7220 5 bytes JMP 000007ff7e1c1284 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1a739c 5 bytes JMP 000007ff7e1c163c .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1a7538 5 bytes JMP 000007ff7e1c19f4 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1a75e8 5 bytes JMP 000007ff7e1c03a4 .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1a790c 5 bytes JMP 000007ff7e1c075c .text C:\Windows\system32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1a7ab4 5 bytes JMP 000007ff7e1c0b14 .text C:\Windows\notepad.exe[3176] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\notepad.exe[3868] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Users\DELL\Desktop\diagnostyka\gmer\dix06cox.exe[3988] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e3a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4904] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e3a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4904] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d61465 2 bytes [D6, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4904] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d614bb 2 bytes [D6, 75] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [4904] entry point in ".rdata" section 00000000734d71e6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007762f991 7 bytes {MOV EDX, 0xa71628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007762fbd5 7 bytes {MOV EDX, 0xa71668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007762fc05 7 bytes {MOV EDX, 0xa715a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007762fc1d 7 bytes {MOV EDX, 0xa71528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007762fc35 7 bytes {MOV EDX, 0xa71728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007762fc65 7 bytes {MOV EDX, 0xa71768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007762fce5 7 bytes {MOV EDX, 0xa716e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007762fcfd 7 bytes {MOV EDX, 0xa716a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007762fd49 7 bytes {MOV EDX, 0xa71468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007762fe41 7 bytes {MOV EDX, 0xa714a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077630099 7 bytes {MOV EDX, 0xa71428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776310a5 7 bytes {MOV EDX, 0xa715e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007763111d 7 bytes {MOV EDX, 0xa71568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077631321 7 bytes {MOV EDX, 0xa714e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e3a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d61465 2 bytes [D6, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1176] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d614bb 2 bytes [D6, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1728] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007762f991 7 bytes {MOV EDX, 0x9b0228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1728] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007762fbd5 7 bytes {MOV EDX, 0x9b0268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1728] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007762fc05 7 bytes {MOV EDX, 0x9b01a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1728] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007762fc1d 7 bytes {MOV EDX, 0x9b0128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1728] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007762fc35 7 bytes {MOV EDX, 0x9b0328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1728] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007762fc65 7 bytes {MOV EDX, 0x9b0368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1728] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007762fce5 7 bytes {MOV EDX, 0x9b02e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1728] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007762fcfd 7 bytes {MOV EDX, 0x9b02a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1728] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007762fd49 7 bytes {MOV EDX, 0x9b0068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1728] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007762fe41 7 bytes {MOV EDX, 0x9b00a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1728] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077630099 7 bytes {MOV EDX, 0x9b0028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1728] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776310a5 7 bytes {MOV EDX, 0x9b01e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1728] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007763111d 7 bytes {MOV EDX, 0x9b0168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1728] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077631321 7 bytes {MOV EDX, 0x9b00e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1728] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e3a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d61465 2 bytes [D6, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d614bb 2 bytes [D6, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007762f991 7 bytes {MOV EDX, 0xfc8628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007762fbd5 7 bytes {MOV EDX, 0xfc8668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007762fc05 7 bytes {MOV EDX, 0xfc85a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007762fc1d 7 bytes {MOV EDX, 0xfc8528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007762fc35 7 bytes {MOV EDX, 0xfc8728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007762fc65 7 bytes {MOV EDX, 0xfc8768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007762fce5 7 bytes {MOV EDX, 0xfc86e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007762fcfd 7 bytes {MOV EDX, 0xfc86a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007762fd49 7 bytes {MOV EDX, 0xfc8468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007762fe41 7 bytes {MOV EDX, 0xfc84a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077630099 7 bytes {MOV EDX, 0xfc8428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776310a5 7 bytes {MOV EDX, 0xfc85e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007763111d 7 bytes {MOV EDX, 0xfc8568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077631321 7 bytes {MOV EDX, 0xfc84e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5000] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e3a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d61465 2 bytes [D6, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d614bb 2 bytes [D6, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[212] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007762f991 7 bytes {MOV EDX, 0xe09e28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[212] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007762fbd5 7 bytes {MOV EDX, 0xe09e68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[212] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007762fc05 7 bytes {MOV EDX, 0xe09da8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[212] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007762fc1d 7 bytes {MOV EDX, 0xe09d28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[212] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007762fc35 7 bytes {MOV EDX, 0xe09f28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[212] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007762fc65 7 bytes {MOV EDX, 0xe09f68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[212] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007762fce5 7 bytes {MOV EDX, 0xe09ee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[212] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007762fcfd 7 bytes {MOV EDX, 0xe09ea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[212] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007762fd49 7 bytes {MOV EDX, 0xe09c68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[212] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007762fe41 7 bytes {MOV EDX, 0xe09ca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[212] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077630099 7 bytes {MOV EDX, 0xe09c28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[212] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776310a5 7 bytes {MOV EDX, 0xe09de8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[212] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007763111d 7 bytes {MOV EDX, 0xe09d68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[212] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077631321 7 bytes {MOV EDX, 0xe09ce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[212] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076e3a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075d61465 2 bytes [D6, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075d614bb 2 bytes [D6, 75] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [2564:4312] 000007fef06b9688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3760:3132] 000007fefe3e0168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3760:3196] 000007fefb7d2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3760:3260] 000007fef0edd618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3760:4348] 000007fefa545124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 95 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 902210 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c44619fcd8a7 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 95 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 902210 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 3 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c44619fcd8a7 (not active ControlSet) ---- EOF - GMER 2.1 ----