GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-19 10:40:37 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3 SAMSUNG_HD501LJ rev.CR100-12 465,76GB Running: 2vy53tsb.exe; Driver: C:\Users\Aga\AppData\Local\Temp\uxriapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 000000014a220460 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 000000014a220450 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 000000014a220370 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 000000014a220470 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 000000014a2203e0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 000000014a220320 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 000000014a2203b0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 000000014a220390 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 000000014a2202e0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 000000014a2202d0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 000000014a220310 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 000000014a2203c0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 000000014a2203f0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 000000014a220230 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0xffffffffd320e890} .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 000000014a220480 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 000000014a2203a0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 000000014a2202f0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 000000014a220350 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 000000014a220290 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 000000014a2202b0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 000000014a2203d0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 000000014a220330 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0xffffffffd320e590} .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 000000014a220410 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 000000014a220240 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 000000014a2201e0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 000000014a220250 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0xffffffffd320e090} .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 000000014a220490 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 000000014a2204a0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 000000014a220300 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 000000014a220360 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 000000014a2202a0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 000000014a2202c0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 000000014a220380 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 000000014a220340 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 000000014a220440 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 000000014a220260 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 000000014a220270 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 000000014a220400 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 000000014a2201f0 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 000000014a220210 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 000000014a220200 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 000000014a220420 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 000000014a220430 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 000000014a220220 .text C:\Windows\system32\csrss.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 000000014a220280 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000077170460 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000077170450 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000077170370 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000077170470 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 00000000771703e0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000077170320 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000000771703b0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000077170390 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000000771702e0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000000771702d0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000077170310 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000000771703c0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000000771703f0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000077170230 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000077170480 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000000771703a0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000000771702f0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000077170350 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000077170290 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000000771702b0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000000771703d0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000077170330 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000077170410 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000077170240 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000000771701e0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000077170250 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000077170490 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000000771704a0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000077170300 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000077170360 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000000771702a0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000000771702c0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000077170380 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000077170340 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000077170440 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000077170260 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000077170270 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 0000000077170400 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000000771701f0 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000077170210 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000077170200 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000077170420 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000077170430 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000077170220 .text C:\Windows\system32\wininit.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000077170280 .text C:\Windows\system32\wininit.exe[464] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 000000014a220460 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 000000014a220450 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 000000014a220370 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 000000014a220470 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 000000014a2203e0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 000000014a220320 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 000000014a2203b0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 000000014a220390 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 000000014a2202e0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 000000014a2202d0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 000000014a220310 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 000000014a2203c0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 000000014a2203f0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 000000014a220230 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0xffffffffd320e890} .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 000000014a220480 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 000000014a2203a0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 000000014a2202f0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 000000014a220350 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 000000014a220290 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 000000014a2202b0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 000000014a2203d0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 000000014a220330 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0xffffffffd320e590} .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 000000014a220410 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 000000014a220240 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 000000014a2201e0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 000000014a220250 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0xffffffffd320e090} .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 000000014a220490 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 000000014a2204a0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 000000014a220300 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 000000014a220360 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 000000014a2202a0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 000000014a2202c0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 000000014a220380 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 000000014a220340 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 000000014a220440 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 000000014a220260 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 000000014a220270 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 000000014a220400 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 000000014a2201f0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 000000014a220210 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 000000014a220200 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 000000014a220420 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 000000014a220430 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 000000014a220220 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 000000014a220280 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0xffffffff8905e890} .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0xffffffff8905e590} .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0xffffffff8905e090} .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\services.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\services.exe[524] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000077170460 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000077170450 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000077170370 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000077170470 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 00000000771703e0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000077170320 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000000771703b0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000077170390 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000000771702e0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000000771702d0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000077170310 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000000771703c0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000000771703f0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000077170230 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000077170480 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000000771703a0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000000771702f0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000077170350 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000077170290 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000000771702b0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000000771703d0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000077170330 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000077170410 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000077170240 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000000771701e0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000077170250 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000077170490 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000000771704a0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000077170300 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000077170360 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000000771702a0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000000771702c0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000077170380 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000077170340 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000077170440 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000077170260 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000077170270 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 0000000077170400 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000000771701f0 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000077170210 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000077170200 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000077170420 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000077170430 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000077170220 .text C:\Windows\system32\lsass.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000077170280 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0xffffffff8905e890} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0xffffffff8905e590} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0xffffffff8905e090} .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsm.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000077170460 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000077170450 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000077170370 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000077170470 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 00000000771703e0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000077170320 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000000771703b0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000077170390 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000000771702e0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000000771702d0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000077170310 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000000771703c0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000000771703f0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000077170230 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000077170480 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000000771703a0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000000771702f0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000077170350 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000077170290 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000000771702b0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000000771703d0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000077170330 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000077170410 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000077170240 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000000771701e0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000077170250 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000077170490 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000000771704a0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000077170300 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000077170360 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000000771702a0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000000771702c0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000077170380 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000077170340 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000077170440 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000077170260 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000077170270 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 0000000077170400 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000000771701f0 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000077170210 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000077170200 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000077170420 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000077170430 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000077170220 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000077170280 .text C:\Windows\system32\winlogon.exe[612] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0xffffffff8905e890} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0xffffffff8905e590} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0xffffffff8905e090} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[700] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000077170460 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000077170450 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000077170370 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000077170470 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 00000000771703e0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000077170320 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000000771703b0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000077170390 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000000771702e0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000000771702d0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000077170310 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000000771703c0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000000771703f0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000077170230 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000077170480 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000000771703a0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000000771702f0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000077170350 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000077170290 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000000771702b0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000000771703d0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000077170330 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000077170410 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000077170240 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000000771701e0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000077170250 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000077170490 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000000771704a0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000077170300 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000077170360 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000000771702a0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000000771702c0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000077170380 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000077170340 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000077170440 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000077170260 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000077170270 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 0000000077170400 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000000771701f0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000077170210 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000077170200 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000077170420 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000077170430 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000077170220 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000077170280 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0xffffffff8905e890} .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0xffffffff8905e590} .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0xffffffff8905e090} .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000077170460 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000077170450 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000077170370 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000077170470 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 00000000771703e0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000077170320 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000000771703b0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000077170390 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000000771702e0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000000771702d0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000077170310 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000000771703c0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000000771703f0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000077170230 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000077170480 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000000771703a0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000000771702f0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000077170350 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000077170290 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000000771702b0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000000771703d0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000077170330 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000077170410 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000077170240 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000000771701e0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000077170250 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000077170490 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000000771704a0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000077170300 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000077170360 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000000771702a0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000000771702c0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000077170380 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000077170340 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000077170440 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000077170260 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000077170270 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 0000000077170400 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000000771701f0 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000077170210 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000077170200 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000077170420 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000077170430 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000077170220 .text C:\Windows\System32\svchost.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000077170280 .text C:\Windows\System32\svchost.exe[936] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000077170460 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000077170450 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000077170370 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000077170470 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 00000000771703e0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000077170320 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000000771703b0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000077170390 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000000771702e0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000000771702d0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000077170310 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000000771703c0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000000771703f0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000077170230 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000077170480 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000000771703a0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000000771702f0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000077170350 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000077170290 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000000771702b0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000000771703d0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000077170330 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000077170410 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000077170240 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000000771701e0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000077170250 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000077170490 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000000771704a0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000077170300 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000077170360 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000000771702a0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000000771702c0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000077170380 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000077170340 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000077170440 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000077170260 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000077170270 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 0000000077170400 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000000771701f0 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000077170210 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000077170200 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000077170420 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000077170430 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000077170220 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000077170280 .text C:\Windows\system32\svchost.exe[1004] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0xffffffff8905e890} .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0xffffffff8905e590} .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0xffffffff8905e090} .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[112] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000077170460 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000077170450 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000077170370 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000077170470 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 00000000771703e0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000077170320 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000000771703b0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000077170390 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000000771702e0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000000771702d0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000077170310 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000000771703c0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000000771703f0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000077170230 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000077170480 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000000771703a0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000000771702f0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000077170350 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000077170290 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000000771702b0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000000771703d0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000077170330 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000077170410 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000077170240 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000000771701e0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000077170250 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000077170490 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000000771704a0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000077170300 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000077170360 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000000771702a0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000000771702c0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000077170380 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000077170340 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000077170440 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000077170260 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000077170270 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 0000000077170400 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000000771701f0 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000077170210 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000077170200 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000077170420 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000077170430 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000077170220 .text C:\Windows\system32\svchost.exe[380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000077170280 .text C:\Windows\system32\svchost.exe[380] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000077170460 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000077170450 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000077170370 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000077170470 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 00000000771703e0 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000077170320 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000000771703b0 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000077170390 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000000771702e0 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000000771702d0 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000077170310 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000000771703c0 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000000771703f0 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000077170230 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000077170480 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000000771703a0 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000000771702f0 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000077170350 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000077170290 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000000771702b0 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000000771703d0 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000077170330 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000077170410 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000077170240 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000000771701e0 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000077170250 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000077170490 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000000771704a0 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000077170300 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000077170360 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000000771702a0 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000000771702c0 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000077170380 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000077170340 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000077170440 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000077170260 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000077170270 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 0000000077170400 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000000771701f0 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000077170210 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000077170200 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000077170420 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000077170430 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000077170220 .text C:\Windows\system32\Dwm.exe[1256] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000077170280 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000077170460 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000077170450 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000077170370 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000077170470 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 00000000771703e0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000077170320 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000000771703b0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000077170390 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000000771702e0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000000771702d0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000077170310 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000000771703c0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000000771703f0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000077170230 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000077170480 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000000771703a0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000000771702f0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000077170350 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000077170290 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000000771702b0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000000771703d0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000077170330 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000077170410 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000077170240 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000000771701e0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000077170250 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000077170490 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000000771704a0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000077170300 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000077170360 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000000771702a0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000000771702c0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000077170380 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000077170340 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000077170440 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000077170260 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000077170270 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 0000000077170400 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000000771701f0 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000077170210 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000077170200 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000077170420 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000077170430 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000077170220 .text C:\Windows\Explorer.EXE[1280] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000077170280 .text C:\Windows\Explorer.EXE[1280] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000077170460 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000077170450 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000077170370 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000077170470 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 00000000771703e0 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000077170320 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000000771703b0 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000077170390 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000000771702e0 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000000771702d0 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000077170310 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000000771703c0 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000000771703f0 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000077170230 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000077170480 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000000771703a0 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000000771702f0 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000077170350 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000077170290 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000000771702b0 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000000771703d0 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000077170330 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000077170410 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000077170240 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000000771701e0 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000077170250 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000077170490 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000000771704a0 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000077170300 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000077170360 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000000771702a0 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000000771702c0 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000077170380 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000077170340 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000077170440 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000077170260 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000077170270 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 0000000077170400 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000000771701f0 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000077170210 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000077170200 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000077170420 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000077170430 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000077170220 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000077170280 .text C:\Windows\system32\taskhost.exe[1452] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076fe3ae0 5 bytes JMP 000000010013075c .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076fe7a90 5 bytes JMP 00000001001303a4 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000077170460 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000077170450 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077011490 5 bytes JMP 0000000100130b14 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000770114f0 5 bytes JMP 0000000100130ecc .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000077170370 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000077170470 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 000000010013163c .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000077170320 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000000771703b0 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000077170390 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000000771702e0 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000000771702d0 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000077170310 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000000771703c0 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077011810 5 bytes JMP 0000000100131284 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000000771703f0 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000077170230 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000077170480 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000000771703a0 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000000771702f0 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000077170350 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000077170290 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000000771702b0 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000000771703d0 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000077170330 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000077170410 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000077170240 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000000771701e0 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000077170250 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000077170490 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000000771704a0 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000077170300 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000077170360 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000000771702a0 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000000771702c0 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000077170380 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000077170340 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000077170440 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000077170260 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000077170270 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 00000001001319f4 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000000771701f0 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000077170210 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000077170200 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000077170420 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000077170430 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000077170220 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000077170280 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefda16e00 5 bytes JMP 000007ff7da31dac .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefda16f2c 5 bytes JMP 000007ff7da30ecc .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefda17220 5 bytes JMP 000007ff7da31284 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefda1739c 5 bytes JMP 000007ff7da3163c .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefda17538 5 bytes JMP 000007ff7da319f4 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefda175e8 5 bytes JMP 000007ff7da303a4 .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefda1790c 5 bytes JMP 000007ff7da3075c .text C:\Windows\System32\spoolsv.exe[1672] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefda17ab4 5 bytes JMP 000007ff7da30b14 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076fe3ae0 5 bytes JMP 00000001001f075c .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076fe7a90 5 bytes JMP 00000001001f03a4 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000077170460 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000077170450 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077011490 5 bytes JMP 00000001001f0b14 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000770114f0 5 bytes JMP 00000001001f0ecc .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000077170370 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000077170470 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 00000001001f163c .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000077170320 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000000771703b0 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000077170390 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000000771702e0 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000000771702d0 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000077170310 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000000771703c0 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077011810 5 bytes JMP 00000001001f1284 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000000771703f0 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000077170230 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000077170480 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000000771703a0 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000000771702f0 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000077170350 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000077170290 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000000771702b0 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000000771703d0 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000077170330 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000077170410 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000077170240 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000000771701e0 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000077170250 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000077170490 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000000771704a0 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000077170300 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000077170360 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000000771702a0 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000000771702c0 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000077170380 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000077170340 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000077170440 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000077170260 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000077170270 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 00000001001f19f4 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000000771701f0 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000077170210 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000077170200 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000077170420 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000077170430 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000077170220 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000077170280 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefda16e00 5 bytes JMP 000007ff7da31dac .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefda16f2c 5 bytes JMP 000007ff7da30ecc .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefda17220 5 bytes JMP 000007ff7da31284 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefda1739c 5 bytes JMP 000007ff7da3163c .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefda17538 5 bytes JMP 000007ff7da319f4 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefda175e8 5 bytes JMP 000007ff7da303a4 .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefda1790c 5 bytes JMP 000007ff7da3075c .text C:\Windows\system32\svchost.exe[1904] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefda17ab4 5 bytes JMP 000007ff7da30b14 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076fe3ae0 5 bytes JMP 000000010012075c .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076fe7a90 5 bytes JMP 00000001001203a4 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000077170460 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000077170450 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077011490 5 bytes JMP 0000000100120b14 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000770114f0 5 bytes JMP 0000000100120ecc .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000077170370 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000077170470 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 000000010012163c .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000077170320 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000000771703b0 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000077170390 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000000771702e0 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000000771702d0 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000077170310 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000000771703c0 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077011810 5 bytes JMP 0000000100121284 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000000771703f0 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000077170230 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000077170480 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000000771703a0 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000000771702f0 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000077170350 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000077170290 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000000771702b0 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000000771703d0 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000077170330 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000077170410 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000077170240 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000000771701e0 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000077170250 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000077170490 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000000771704a0 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000077170300 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000077170360 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000000771702a0 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000000771702c0 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000077170380 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000077170340 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000077170440 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000077170260 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000077170270 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 00000001001219f4 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000000771701f0 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000077170210 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000077170200 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000077170420 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000077170430 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000077170220 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000077170280 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefda16e00 5 bytes JMP 000007ff7da31dac .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefda16f2c 5 bytes JMP 000007ff7da30ecc .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefda17220 5 bytes JMP 000007ff7da31284 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefda1739c 5 bytes JMP 000007ff7da3163c .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefda17538 5 bytes JMP 000007ff7da319f4 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefda175e8 5 bytes JMP 000007ff7da303a4 .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefda1790c 5 bytes JMP 000007ff7da3075c .text C:\Windows\system32\svchost.exe[2032] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefda17ab4 5 bytes JMP 000007ff7da30b14 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2664] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074f7a30a 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076fe3ae0 5 bytes JMP 000000010027075c .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076fe7a90 5 bytes JMP 00000001002703a4 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000077170460 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000077170450 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077011490 5 bytes JMP 0000000100270b14 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000770114f0 5 bytes JMP 0000000100270ecc .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000077170370 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000077170470 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 000000010027163c .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000077170320 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000000771703b0 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000077170390 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000000771702e0 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000000771702d0 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000077170310 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000000771703c0 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077011810 5 bytes JMP 0000000100271284 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000000771703f0 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000077170230 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000077170480 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000000771703a0 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000000771702f0 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000077170350 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000077170290 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000000771702b0 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000000771703d0 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000077170330 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000077170410 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000077170240 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000000771701e0 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000077170250 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000077170490 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000000771704a0 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000077170300 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000077170360 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000000771702a0 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000000771702c0 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000077170380 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000077170340 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000077170440 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000077170260 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000077170270 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 00000001002719f4 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000000771701f0 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000077170210 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000077170200 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000077170420 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000077170430 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000077170220 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000077170280 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefda16e00 5 bytes JMP 000007ff7da31dac .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefda16f2c 5 bytes JMP 000007ff7da30ecc .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefda17220 5 bytes JMP 000007ff7da31284 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefda1739c 5 bytes JMP 000007ff7da3163c .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefda17538 5 bytes JMP 000007ff7da319f4 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefda175e8 5 bytes JMP 000007ff7da303a4 .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefda1790c 5 bytes JMP 000007ff7da3075c .text C:\Windows\system32\SearchIndexer.exe[2804] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefda17ab4 5 bytes JMP 000007ff7da30b14 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076fe3ae0 5 bytes JMP 000000010017075c .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076fe7a90 5 bytes JMP 00000001001703a4 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000077170460 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000077170450 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077011490 5 bytes JMP 0000000100170b14 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000770114f0 5 bytes JMP 0000000100170ecc .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000077170370 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000077170470 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 000000010017163c .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000077170320 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000000771703b0 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000077170390 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000000771702e0 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000000771702d0 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000077170310 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000000771703c0 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077011810 5 bytes JMP 0000000100171284 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000000771703f0 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000077170230 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000077170480 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000000771703a0 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000000771702f0 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000077170350 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000077170290 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000000771702b0 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000000771703d0 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000077170330 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000077170410 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000077170240 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000000771701e0 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000077170250 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000077170490 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000000771704a0 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000077170300 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000077170360 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000000771702a0 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000000771702c0 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000077170380 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000077170340 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000077170440 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000077170260 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000077170270 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 00000001001719f4 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000000771701f0 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000077170210 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000077170200 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000077170420 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000077170430 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000077170220 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000077170280 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefda16e00 5 bytes JMP 000007ff7da31dac .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefda16f2c 5 bytes JMP 000007ff7da30ecc .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefda17220 5 bytes JMP 000007ff7da31284 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefda1739c 5 bytes JMP 000007ff7da3163c .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefda17538 5 bytes JMP 000007ff7da319f4 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefda175e8 5 bytes JMP 000007ff7da303a4 .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefda1790c 5 bytes JMP 000007ff7da3075c .text C:\Windows\System32\svchost.exe[1212] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefda17ab4 5 bytes JMP 000007ff7da30b14 .text C:\Windows\servicing\TrustedInstaller.exe[2584] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefda16e00 5 bytes JMP 000007ff7da31dac .text C:\Windows\servicing\TrustedInstaller.exe[2584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefda16f2c 5 bytes JMP 000007ff7da30ecc .text C:\Windows\servicing\TrustedInstaller.exe[2584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefda17220 5 bytes JMP 000007ff7da31284 .text C:\Windows\servicing\TrustedInstaller.exe[2584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefda1739c 5 bytes JMP 000007ff7da3163c .text C:\Windows\servicing\TrustedInstaller.exe[2584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefda17538 5 bytes JMP 000007ff7da319f4 .text C:\Windows\servicing\TrustedInstaller.exe[2584] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefda175e8 5 bytes JMP 000007ff7da303a4 .text C:\Windows\servicing\TrustedInstaller.exe[2584] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefda1790c 5 bytes JMP 000007ff7da3075c .text C:\Windows\servicing\TrustedInstaller.exe[2584] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefda17ab4 5 bytes JMP 000007ff7da30b14 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076fe3ae0 5 bytes JMP 000000010018075c .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076fe7a90 5 bytes JMP 00000001001803a4 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000770113c0 5 bytes JMP 0000000077170460 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077011410 5 bytes JMP 0000000077170450 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077011490 5 bytes JMP 0000000100180b14 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000770114f0 5 bytes JMP 0000000100180ecc .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077011570 5 bytes JMP 0000000077170370 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000770115c0 5 bytes JMP 0000000077170470 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 000000010018163c .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077011680 5 bytes JMP 0000000077170320 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000770116b0 5 bytes JMP 00000000771703b0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000770116d0 5 bytes JMP 0000000077170390 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077011710 5 bytes JMP 00000000771702e0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077011790 5 bytes JMP 00000000771702d0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000770117b0 5 bytes JMP 0000000077170310 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000770117f0 5 bytes JMP 00000000771703c0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077011810 5 bytes JMP 0000000100181284 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077011840 5 bytes JMP 00000000771703f0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000770119a0 1 byte JMP 0000000077170230 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000770119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077011b60 5 bytes JMP 0000000077170480 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077011b90 5 bytes JMP 00000000771703a0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077011c70 5 bytes JMP 00000000771702f0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077011c80 5 bytes JMP 0000000077170350 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077011ce0 5 bytes JMP 0000000077170290 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077011d70 5 bytes JMP 00000000771702b0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077011d90 5 bytes JMP 00000000771703d0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077011da0 1 byte JMP 0000000077170330 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077011da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077011e10 5 bytes JMP 0000000077170410 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077011e40 5 bytes JMP 0000000077170240 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077012100 5 bytes JMP 00000000771701e0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000770121c0 1 byte JMP 0000000077170250 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000770121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000770121f0 5 bytes JMP 0000000077170490 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077012200 5 bytes JMP 00000000771704a0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077012230 5 bytes JMP 0000000077170300 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077012240 5 bytes JMP 0000000077170360 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000770122a0 5 bytes JMP 00000000771702a0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000770122f0 5 bytes JMP 00000000771702c0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077012320 5 bytes JMP 0000000077170380 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077012330 5 bytes JMP 0000000077170340 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077012620 5 bytes JMP 0000000077170440 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077012820 5 bytes JMP 0000000077170260 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077012830 5 bytes JMP 0000000077170270 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 00000001001819f4 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077012a00 5 bytes JMP 00000000771701f0 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077012a10 5 bytes JMP 0000000077170210 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077012a80 5 bytes JMP 0000000077170200 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077012ae0 5 bytes JMP 0000000077170420 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077012af0 5 bytes JMP 0000000077170430 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077012b00 5 bytes JMP 0000000077170220 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077012be0 5 bytes JMP 0000000077170280 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefda16e00 5 bytes JMP 000007ff7da31dac .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefda16f2c 5 bytes JMP 000007ff7da30ecc .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefda17220 5 bytes JMP 000007ff7da31284 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefda1739c 5 bytes JMP 000007ff7da3163c .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefda17538 5 bytes JMP 000007ff7da319f4 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefda175e8 5 bytes JMP 000007ff7da303a4 .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefda1790c 5 bytes JMP 000007ff7da3075c .text C:\Windows\system32\taskhost.exe[2556] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefda17ab4 5 bytes JMP 000007ff7da30b14 .text C:\Windows\system32\taskeng.exe[740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076fe3ae0 5 bytes JMP 00000001001d075c .text C:\Windows\system32\taskeng.exe[740] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076fe7a90 5 bytes JMP 00000001001d03a4 .text C:\Windows\system32\taskeng.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077011490 5 bytes JMP 00000001001d0b14 .text C:\Windows\system32\taskeng.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000770114f0 5 bytes JMP 00000001001d0ecc .text C:\Windows\system32\taskeng.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000770115d0 5 bytes JMP 00000001001d163c .text C:\Windows\system32\taskeng.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077011810 5 bytes JMP 00000001001d1284 .text C:\Windows\system32\taskeng.exe[740] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077012840 5 bytes JMP 00000001001d19f4 .text C:\Windows\system32\taskeng.exe[740] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076efeecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[740] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefda16e00 5 bytes JMP 000007ff7da31dac .text C:\Windows\system32\taskeng.exe[740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefda16f2c 5 bytes JMP 000007ff7da30ecc .text C:\Windows\system32\taskeng.exe[740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefda17220 5 bytes JMP 000007ff7da31284 .text C:\Windows\system32\taskeng.exe[740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefda1739c 5 bytes JMP 000007ff7da3163c .text C:\Windows\system32\taskeng.exe[740] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefda17538 5 bytes JMP 000007ff7da319f4 .text C:\Windows\system32\taskeng.exe[740] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefda175e8 5 bytes JMP 000007ff7da303a4 .text C:\Windows\system32\taskeng.exe[740] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefda1790c 5 bytes JMP 000007ff7da3075c .text C:\Windows\system32\taskeng.exe[740] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefda17ab4 5 bytes JMP 000007ff7da30b14 .text C:\Users\Aga\Desktop\2vy53tsb.exe[3928] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074f7a30a 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [892:416] 000007fefb58f2f4 Thread C:\Windows\System32\svchost.exe [892:420] 000007fefc5a6204 Thread C:\Windows\System32\svchost.exe [892:1044] 000007fefaac2070 Thread C:\Windows\System32\svchost.exe [892:1048] 000007fefa925428 Thread C:\Windows\System32\svchost.exe [892:2640] 000007fef1f36b8c Thread C:\Windows\System32\svchost.exe [892:172] 000007fef1f31d88 Thread C:\Windows\System32\svchost.exe [892:3472] 000007fefce72098 Thread C:\Windows\System32\svchost.exe [936:968] 000007fefaad331c Thread C:\Windows\System32\svchost.exe [936:1120] 000007fefa1f59a0 Thread C:\Windows\System32\svchost.exe [936:2076] 000007fef67520c0 Thread C:\Windows\System32\svchost.exe [936:2092] 000007fef67114a0 Thread C:\Windows\System32\svchost.exe [936:2104] 000007fef67526a8 Thread C:\Windows\System32\svchost.exe [936:2128] 000007fef67529dc Thread C:\Windows\System32\svchost.exe [936:2372] 000007fef5bba2b0 Thread C:\Windows\System32\svchost.exe [936:2544] 000007fef72244e0 Thread C:\Windows\System32\svchost.exe [936:3936] 000007fef77088f8 Thread C:\Windows\system32\svchost.exe [380:1944] 000007fef73f5124 Thread C:\Windows\system32\svchost.exe [380:2848] 000007fef45983d8 Thread C:\Windows\system32\svchost.exe [380:2852] 000007fef45983d8 Thread C:\Windows\system32\svchost.exe [380:2864] 000007fef4433f1c Thread C:\Windows\system32\svchost.exe [380:2868] 000007fef4401a38 Thread C:\Windows\system32\svchost.exe [380:2872] 000007fef43f5388 Thread C:\Windows\system32\svchost.exe [380:2876] 000007fef43d7738 Thread C:\Windows\system32\svchost.exe [380:2880] 000007fef43c1f90 Thread C:\Windows\system32\svchost.exe [380:2612] 000007fef7a95170 Thread C:\Windows\System32\WUDFHost.exe [2384:2572] 000007fef53624a0 Thread C:\Windows\system32\SearchIndexer.exe [2804:2912] 000007fef7a95170 Thread C:\Windows\system32\SearchIndexer.exe [2804:2924] 000007fef4b769ac Thread C:\Windows\system32\SearchIndexer.exe [2804:2932] 000007fef4943dac Thread C:\Windows\system32\SearchIndexer.exe [2804:2936] 000007fef4941700 Thread C:\Windows\system32\SearchIndexer.exe [2804:2940] 000007fef496b248 Thread C:\Windows\system32\SearchIndexer.exe [2804:2944] 000007fef496c4ac Thread C:\Windows\system32\SearchIndexer.exe [2804:2052] 000007fef4b769ac Thread C:\Windows\system32\SearchIndexer.exe [2804:3112] 000007fefd300168 Thread C:\Windows\System32\svchost.exe [1212:2144] 000007fef0729688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1200:2992] 000007fefd300168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1200:2444] 000007fefb372a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1200:2484] 000007fef119d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1200:2976] 000007fef73f5124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 56 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 136823 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 56 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 136823 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. ---- Files - GMER 2.1 ---- File C:\Windows\Temp\_avast_\unp6277676.tmp (size mismatch) 17758103/0 bytes executable ---- EOF - GMER 2.1 ----