GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-24 14:18:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 SAMSUNG_HM251JJ rev.2AA00_00 232,89GB Running: xvcd5sk2.exe; Driver: C:\Users\Dziabong\AppData\Local\Temp\uxldapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 000000014a370460 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 000000014a370450 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 000000014a370370 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 000000014a370470 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 000000014a3703e0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 000000014a370320 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 000000014a3703b0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 000000014a370390 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 000000014a3702e0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 000000014a3702d0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 000000014a370310 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 000000014a3703c0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 000000014a3703f0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 000000014a370230 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 000000014a370480 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 000000014a3703a0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 000000014a3702f0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 000000014a370350 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 000000014a370290 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 000000014a3702b0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 000000014a3703d0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 000000014a370330 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 000000014a370410 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 000000014a370240 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 000000014a3701e0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 000000014a370250 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 000000014a370490 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 000000014a3704a0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 000000014a370300 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 000000014a370360 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 000000014a3702a0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 000000014a3702c0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 000000014a370380 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 000000014a370340 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 000000014a370440 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 000000014a370260 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 000000014a370270 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 000000014a370400 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 000000014a3701f0 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 000000014a370210 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 000000014a370200 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 000000014a370420 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 000000014a370430 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 000000014a370220 .text C:\Windows\system32\csrss.exe[456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 000000014a370280 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\wininit.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\wininit.exe[496] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 000000014a370460 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 000000014a370450 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 000000014a370370 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 000000014a370470 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 000000014a3703e0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 000000014a370320 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 000000014a3703b0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 000000014a370390 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 000000014a3702e0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 000000014a3702d0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 000000014a370310 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 000000014a3703c0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 000000014a3703f0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 000000014a370230 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 000000014a370480 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 000000014a3703a0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 000000014a3702f0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 000000014a370350 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 000000014a370290 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 000000014a3702b0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 000000014a3703d0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 000000014a370330 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 000000014a370410 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 000000014a370240 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 000000014a3701e0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 000000014a370250 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 000000014a370490 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 000000014a3704a0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 000000014a370300 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 000000014a370360 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 000000014a3702a0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 000000014a3702c0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 000000014a370380 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 000000014a370340 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 000000014a370440 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 000000014a370260 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 000000014a370270 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 000000014a370400 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 000000014a3701f0 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 000000014a370210 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 000000014a370200 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 000000014a370420 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 000000014a370430 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 000000014a370220 .text C:\Windows\system32\csrss.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 000000014a370280 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\services.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\services.exe[552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\lsass.exe[576] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[692] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\winlogon.exe[760] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[864] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\System32\svchost.exe[940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[464] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[640] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1300] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\System32\spoolsv.exe[1588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1616] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Program Files\LENOVO\HOTKEY\TPHKLOAD.exe[1792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe[1872] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074dba30a 1 byte [62] .text C:\Program Files\LENOVO\HOTKEY\tposdsvc.exe[1912] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074dba30a 1 byte [62] .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe[1944] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\Explorer.EXE[1960] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\Explorer.EXE[1960] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2004] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[1484] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\taskhost.exe[1704] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe[2120] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Program Files\Autodesk\Inventor 2013\Moldflow\bin\mitsijm.exe[2160] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\PROGRA~1\LENOVO\VIRTSCRL\virtscrl.exe[2168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\svchost.exe[2352] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\SIMULIA\Documentation\monitor.exe[2380] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074dba30a 1 byte [62] .text C:\SIMULIA\Documentation\monitor.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075581465 2 bytes [58, 75] .text C:\SIMULIA\Documentation\monitor.exe[2380] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755814bb 2 bytes [58, 75] .text ... * 2 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 0000000076f203e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 0000000076f20400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2412] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\SIMULIA\Documentation\monitor.exe[2428] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074dba30a 1 byte [62] .text C:\SIMULIA\Documentation\monitor.exe[2428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075581465 2 bytes [58, 75] .text C:\SIMULIA\Documentation\monitor.exe[2428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755814bb 2 bytes [58, 75] .text ... * 2 .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2584] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074dba30a 1 byte [62] .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[2592] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074dba30a 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2092] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd166e00 5 bytes JMP 000007ff7d181dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd166f2c 5 bytes JMP 000007ff7d180ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd167220 5 bytes JMP 000007ff7d181284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd16739c 5 bytes JMP 000007ff7d18163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd167538 5 bytes JMP 000007ff7d1819f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2092] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1675e8 5 bytes JMP 000007ff7d1803a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2092] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd16790c 5 bytes JMP 000007ff7d18075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2092] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd167ab4 5 bytes JMP 000007ff7d180b14 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 5 bytes JMP 000000010026075c .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d97ac0 5 bytes JMP 00000001002603a4 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076dc1430 5 bytes JMP 0000000100260b14 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076dc1490 5 bytes JMP 0000000100260ecc .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 000000010026163c .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076dc17b0 5 bytes JMP 0000000100261284 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 00000001002619f4 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd166e00 5 bytes JMP 000007ff7d181dac .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd166f2c 5 bytes JMP 000007ff7d180ecc .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd167220 5 bytes JMP 000007ff7d181284 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd16739c 5 bytes JMP 000007ff7d18163c .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd167538 5 bytes JMP 000007ff7d1819f4 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1675e8 5 bytes JMP 000007ff7d1803a4 .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd16790c 5 bytes JMP 000007ff7d18075c .text C:\Windows\system32\wbem\wmiprvse.exe[3124] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd167ab4 5 bytes JMP 000007ff7d180b14 .text C:\Windows\system32\wbem\unsecapp.exe[3188] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd166e00 5 bytes JMP 000007ff7d181dac .text C:\Windows\system32\wbem\unsecapp.exe[3188] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd166f2c 5 bytes JMP 000007ff7d180ecc .text C:\Windows\system32\wbem\unsecapp.exe[3188] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd167220 5 bytes JMP 000007ff7d181284 .text C:\Windows\system32\wbem\unsecapp.exe[3188] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd16739c 5 bytes JMP 000007ff7d18163c .text C:\Windows\system32\wbem\unsecapp.exe[3188] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd167538 5 bytes JMP 000007ff7d1819f4 .text C:\Windows\system32\wbem\unsecapp.exe[3188] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1675e8 5 bytes JMP 000007ff7d1803a4 .text C:\Windows\system32\wbem\unsecapp.exe[3188] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd16790c 5 bytes JMP 000007ff7d18075c .text C:\Windows\system32\wbem\unsecapp.exe[3188] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd167ab4 5 bytes JMP 000007ff7d180b14 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 5 bytes JMP 000000010027075c .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d97ac0 5 bytes JMP 00000001002703a4 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076dc1430 5 bytes JMP 0000000100270b14 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076dc1490 5 bytes JMP 0000000100270ecc .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 000000010027163c .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076dc17b0 5 bytes JMP 0000000100271284 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 00000001002719f4 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd166e00 5 bytes JMP 000007ff7d181dac .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd166f2c 5 bytes JMP 000007ff7d180ecc .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd167220 5 bytes JMP 000007ff7d181284 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd16739c 5 bytes JMP 000007ff7d18163c .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd167538 5 bytes JMP 000007ff7d1819f4 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1675e8 5 bytes JMP 000007ff7d1803a4 .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd16790c 5 bytes JMP 000007ff7d18075c .text C:\Windows\System32\rundll32.exe[3692] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd167ab4 5 bytes JMP 000007ff7d180b14 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 5 bytes JMP 000000010027075c .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d97ac0 5 bytes JMP 00000001002703a4 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076dc1430 5 bytes JMP 0000000100270b14 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076dc1490 5 bytes JMP 0000000100270ecc .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 000000010027163c .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076dc17b0 5 bytes JMP 0000000100271284 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 00000001002719f4 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd166e00 5 bytes JMP 000007ff7d181dac .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd166f2c 5 bytes JMP 000007ff7d180ecc .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd167220 5 bytes JMP 000007ff7d181284 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd16739c 5 bytes JMP 000007ff7d18163c .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd167538 5 bytes JMP 000007ff7d1819f4 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1675e8 5 bytes JMP 000007ff7d1803a4 .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd16790c 5 bytes JMP 000007ff7d18075c .text C:\Windows\System32\hkcmd.exe[3776] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd167ab4 5 bytes JMP 000007ff7d180b14 .text C:\Windows\System32\igfxpers.exe[3788] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd166e00 5 bytes JMP 000007ff7d181dac .text C:\Windows\System32\igfxpers.exe[3788] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd166f2c 5 bytes JMP 000007ff7d180ecc .text C:\Windows\System32\igfxpers.exe[3788] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd167220 5 bytes JMP 000007ff7d181284 .text C:\Windows\System32\igfxpers.exe[3788] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd16739c 5 bytes JMP 000007ff7d18163c .text C:\Windows\System32\igfxpers.exe[3788] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd167538 5 bytes JMP 000007ff7d1819f4 .text C:\Windows\System32\igfxpers.exe[3788] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1675e8 5 bytes JMP 000007ff7d1803a4 .text C:\Windows\System32\igfxpers.exe[3788] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd16790c 5 bytes JMP 000007ff7d18075c .text C:\Windows\System32\igfxpers.exe[3788] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd167ab4 5 bytes JMP 000007ff7d180b14 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 5 bytes JMP 000000010037075c .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d97ac0 5 bytes JMP 00000001003703a4 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076dc1430 5 bytes JMP 0000000100370b14 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076dc1490 5 bytes JMP 0000000100370ecc .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 000000010037163c .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076dc17b0 5 bytes JMP 0000000100371284 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 00000001003719f4 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd166e00 5 bytes JMP 000007ff7d181dac .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd166f2c 5 bytes JMP 000007ff7d180ecc .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd167220 5 bytes JMP 000007ff7d181284 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd16739c 5 bytes JMP 000007ff7d18163c .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd167538 5 bytes JMP 000007ff7d1819f4 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1675e8 5 bytes JMP 000007ff7d1803a4 .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd16790c 5 bytes JMP 000007ff7d18075c .text C:\Windows\system32\igfxsrvc.exe[3820] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd167ab4 5 bytes JMP 000007ff7d180b14 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 5 bytes JMP 00000001002c075c .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d97ac0 5 bytes JMP 00000001002c03a4 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076dc1430 5 bytes JMP 00000001002c0b14 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076dc1490 5 bytes JMP 00000001002c0ecc .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 00000001002c163c .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076dc17b0 5 bytes JMP 00000001002c1284 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 00000001002c19f4 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd166e00 5 bytes JMP 000007ff7d181dac .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd166f2c 5 bytes JMP 000007ff7d180ecc .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd167220 5 bytes JMP 000007ff7d181284 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd16739c 5 bytes JMP 000007ff7d18163c .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd167538 5 bytes JMP 000007ff7d1819f4 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1675e8 5 bytes JMP 000007ff7d1803a4 .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd16790c 5 bytes JMP 000007ff7d18075c .text C:\Windows\System32\TpShocks.exe[3860] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd167ab4 5 bytes JMP 000007ff7d180b14 .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f6fac0 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f6fb58 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fcb0 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f70038 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f71920 5 bytes JMP 0000000100030e10 .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f8c4dd 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91287 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000074dba30a 1 byte [62] .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007694ee09 5 bytes JMP 00000001001501f8 .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076953982 5 bytes JMP 00000001001503fc .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076957603 5 bytes JMP 0000000100150804 .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007695835c 5 bytes JMP 0000000100150600 .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007696f52b 5 bytes JMP 0000000100150a08 .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075275181 5 bytes JMP 0000000100161014 .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075275254 5 bytes JMP 0000000100160804 .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000752753d5 5 bytes JMP 0000000100160a08 .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000752754c2 5 bytes JMP 0000000100160c0c .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000752755e2 5 bytes JMP 0000000100160e10 .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007527567c 5 bytes JMP 00000001001601f8 .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007527589f 5 bytes JMP 00000001001603fc .text C:\Windows\SysWOW64\rundll32.exe[3964] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075275a22 5 bytes JMP 0000000100160600 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 5 bytes JMP 000000010022075c .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d97ac0 5 bytes JMP 00000001002203a4 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076dc1430 5 bytes JMP 0000000100220b14 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076dc1490 5 bytes JMP 0000000100220ecc .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 000000010022163c .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076dc17b0 5 bytes JMP 0000000100221284 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 00000001002219f4 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd166e00 5 bytes JMP 000007ff7d181dac .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd166f2c 5 bytes JMP 000007ff7d180ecc .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd167220 5 bytes JMP 000007ff7d181284 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd16739c 5 bytes JMP 000007ff7d18163c .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd167538 5 bytes JMP 000007ff7d1819f4 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1675e8 5 bytes JMP 000007ff7d1803a4 .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd16790c 5 bytes JMP 000007ff7d18075c .text C:\Windows\system32\SearchIndexer.exe[4020] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd167ab4 5 bytes JMP 000007ff7d180b14 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f6fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f6fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f70038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f71920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f8c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000074dba30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075275181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075275254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000752753d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000752754c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000752755e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007527567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007527589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075275a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007694ee09 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076953982 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076957603 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007695835c 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3144] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007696f52b 5 bytes JMP 0000000100260a08 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 5 bytes JMP 000000010013075c .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d97ac0 5 bytes JMP 00000001001303a4 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076dc1430 5 bytes JMP 0000000100130b14 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076dc1490 5 bytes JMP 0000000100130ecc .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 000000010013163c .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076dc17b0 5 bytes JMP 0000000100131284 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 00000001001319f4 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd166e00 5 bytes JMP 000007ff7d181dac .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd166f2c 5 bytes JMP 000007ff7d180ecc .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd167220 5 bytes JMP 000007ff7d181284 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd16739c 5 bytes JMP 000007ff7d18163c .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd167538 5 bytes JMP 000007ff7d1819f4 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1675e8 5 bytes JMP 000007ff7d1803a4 .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd16790c 5 bytes JMP 000007ff7d18075c .text C:\Windows\system32\rundll32.exe[3152] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd167ab4 5 bytes JMP 000007ff7d180b14 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3584] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074dba30a 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3816] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076f6fac0 5 bytes JMP 0000000100030600 .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076f6fb58 5 bytes JMP 0000000100030804 .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076f6fcb0 5 bytes JMP 0000000100030c0c .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f70038 5 bytes JMP 0000000100030a08 .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000076f71920 5 bytes JMP 0000000100030e10 .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f8c4dd 5 bytes JMP 00000001000301f8 .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f91287 5 bytes JMP 00000001000303fc .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000074dba30a 1 byte [62] .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007694ee09 5 bytes JMP 00000001000a01f8 .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076953982 5 bytes JMP 00000001000a03fc .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076957603 5 bytes JMP 00000001000a0804 .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007695835c 5 bytes JMP 00000001000a0600 .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007696f52b 5 bytes JMP 00000001000a0a08 .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075275181 5 bytes JMP 00000001000b1014 .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075275254 5 bytes JMP 00000001000b0804 .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000752753d5 5 bytes JMP 00000001000b0a08 .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000752754c2 5 bytes JMP 00000001000b0c0c .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000752755e2 5 bytes JMP 00000001000b0e10 .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007527567c 5 bytes JMP 00000001000b01f8 .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007527589f 5 bytes JMP 00000001000b03fc .text C:\PROGRA~2\ThinkPad\UTILIT~1\SCHTASK.exe[3808] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075275a22 5 bytes JMP 00000001000b0600 .text C:\Windows\system32\igfxext.exe[1464] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd166e00 5 bytes JMP 000007ff7d181dac .text C:\Windows\system32\igfxext.exe[1464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd166f2c 5 bytes JMP 000007ff7d180ecc .text C:\Windows\system32\igfxext.exe[1464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd167220 5 bytes JMP 000007ff7d181284 .text C:\Windows\system32\igfxext.exe[1464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd16739c 5 bytes JMP 000007ff7d18163c .text C:\Windows\system32\igfxext.exe[1464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd167538 5 bytes JMP 000007ff7d1819f4 .text C:\Windows\system32\igfxext.exe[1464] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1675e8 5 bytes JMP 000007ff7d1803a4 .text C:\Windows\system32\igfxext.exe[1464] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd16790c 5 bytes JMP 000007ff7d18075c .text C:\Windows\system32\igfxext.exe[1464] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd167ab4 5 bytes JMP 000007ff7d180b14 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d93b10 5 bytes JMP 000000010042075c .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d97ac0 5 bytes JMP 00000001004203a4 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076dc1360 5 bytes JMP 0000000076f20460 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076dc13b0 5 bytes JMP 0000000076f20450 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076dc1430 5 bytes JMP 0000000100420b14 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076dc1490 5 bytes JMP 0000000100420ecc .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076dc1510 5 bytes JMP 0000000076f20370 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076dc1560 5 bytes JMP 0000000076f20470 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076dc1570 5 bytes JMP 000000010042163c .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076dc1620 5 bytes JMP 0000000076f20320 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076dc1650 5 bytes JMP 0000000076f203b0 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076dc1670 5 bytes JMP 0000000076f20390 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076dc16b0 5 bytes JMP 0000000076f202e0 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076dc1730 5 bytes JMP 0000000076f202d0 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076dc1750 5 bytes JMP 0000000076f20310 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076dc1790 5 bytes JMP 0000000076f203c0 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076dc17b0 5 bytes JMP 0000000100421284 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076dc17e0 5 bytes JMP 0000000076f203f0 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076dc1940 5 bytes JMP 0000000076f20230 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076dc1b00 5 bytes JMP 0000000076f20480 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076dc1b30 5 bytes JMP 0000000076f203a0 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076dc1c10 5 bytes JMP 0000000076f202f0 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076dc1c20 5 bytes JMP 0000000076f20350 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076dc1c80 5 bytes JMP 0000000076f20290 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076dc1d10 5 bytes JMP 0000000076f202b0 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076dc1d30 5 bytes JMP 0000000076f203d0 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076dc1d40 5 bytes JMP 0000000076f20330 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076dc1db0 5 bytes JMP 0000000076f20410 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076dc1de0 5 bytes JMP 0000000076f20240 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076dc20a0 5 bytes JMP 0000000076f201e0 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076dc2160 5 bytes JMP 0000000076f20250 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076dc2190 5 bytes JMP 0000000076f20490 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076dc21a0 5 bytes JMP 0000000076f204a0 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076dc21d0 5 bytes JMP 0000000076f20300 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076dc21e0 5 bytes JMP 0000000076f20360 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076dc2240 5 bytes JMP 0000000076f202a0 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076dc2290 5 bytes JMP 0000000076f202c0 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076dc22c0 5 bytes JMP 0000000076f20380 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076dc22d0 5 bytes JMP 0000000076f20340 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076dc25c0 5 bytes JMP 0000000076f20440 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076dc27c0 5 bytes JMP 0000000076f20260 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076dc27d0 5 bytes JMP 0000000076f20270 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076dc27e0 5 bytes JMP 00000001004219f4 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076dc29a0 5 bytes JMP 0000000076f201f0 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076dc29b0 5 bytes JMP 0000000076f20210 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076dc2a20 5 bytes JMP 0000000076f20200 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076dc2a80 5 bytes JMP 0000000076f20420 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076dc2a90 5 bytes JMP 0000000076f20430 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076dc2aa0 5 bytes JMP 0000000076f20220 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076dc2b80 5 bytes JMP 0000000076f20280 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd166e00 5 bytes JMP 000007ff7d181dac .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd166f2c 5 bytes JMP 000007ff7d180ecc .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd167220 5 bytes JMP 000007ff7d181284 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd16739c 5 bytes JMP 000007ff7d18163c .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd167538 5 bytes JMP 000007ff7d1819f4 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1675e8 5 bytes JMP 000007ff7d1803a4 .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd16790c 5 bytes JMP 000007ff7d18075c .text C:\Windows\System32\svchost.exe[3276] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd167ab4 5 bytes JMP 000007ff7d180b14 .text C:\Windows\system32\DllHost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd166e00 5 bytes JMP 000007ff7d181dac .text C:\Windows\system32\DllHost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd166f2c 5 bytes JMP 000007ff7d180ecc .text C:\Windows\system32\DllHost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd167220 5 bytes JMP 000007ff7d181284 .text C:\Windows\system32\DllHost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd16739c 5 bytes JMP 000007ff7d18163c .text C:\Windows\system32\DllHost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd167538 5 bytes JMP 000007ff7d1819f4 .text C:\Windows\system32\DllHost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1675e8 5 bytes JMP 000007ff7d1803a4 .text C:\Windows\system32\DllHost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd16790c 5 bytes JMP 000007ff7d18075c .text C:\Windows\system32\DllHost.exe[4532] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd167ab4 5 bytes JMP 000007ff7d180b14 .text C:\Windows\System32\svchost.exe[4564] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[4564] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd166e00 5 bytes JMP 000007ff7d181dac .text C:\Windows\System32\svchost.exe[4564] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd166f2c 5 bytes JMP 000007ff7d180ecc .text C:\Windows\System32\svchost.exe[4564] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd167220 5 bytes JMP 000007ff7d181284 .text C:\Windows\System32\svchost.exe[4564] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd16739c 5 bytes JMP 000007ff7d18163c .text C:\Windows\System32\svchost.exe[4564] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd167538 5 bytes JMP 000007ff7d1819f4 .text C:\Windows\System32\svchost.exe[4564] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd1675e8 5 bytes JMP 000007ff7d1803a4 .text C:\Windows\System32\svchost.exe[4564] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd16790c 5 bytes JMP 000007ff7d18075c .text C:\Windows\System32\svchost.exe[4564] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefd167ab4 5 bytes JMP 000007ff7d180b14 .text C:\Windows\system32\AUDIODG.EXE[4060] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 0000000076baeecd 1 byte [62] .text C:\Users\Dziabong\Downloads\xvcd5sk2.exe[4396] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000074dba30a 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3816:4904] 000007fefd630168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3816:4920] 000007fefb212a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3816:4928] 000007feececd618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3816:5080] 000007fef3695124 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3816:4964] 000007feece69730 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3816:4996] 000007feececd618 Thread C:\Windows\System32\svchost.exe [4564:2512] 000007feec839688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet001\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet001\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet001\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet001\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet001\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet001\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet001\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet001\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet001\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet001\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet001\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet001\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet001\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet001\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet001\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet001\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet001\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet001\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet001\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet001\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet001\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet001\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet001\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet001\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet001\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet001\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet001\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet001\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet001\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet001\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet001\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet001\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet001\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet001\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet001\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet001\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet001\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\aswRvrt\Parameters@BootCounter 15 Reg HKLM\SYSTEM\ControlSet001\services\aswRvrt\Parameters@TickCounter 1001016 Reg HKLM\SYSTEM\ControlSet001\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet001\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet001\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet001\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet001\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet001\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet001\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet001\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet001\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet001\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet001\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet001\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet001\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet001\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet001\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet001\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet001\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet001\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet001\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet001\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet001\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet001\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet001\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet001\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet001\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet001\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet001\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet001\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet001\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet001\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet001\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet001\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet001\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet001\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\ControlSet001\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet001\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet001\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet001\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet001\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet001\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet001\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet001\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet001\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet001\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet001\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet001\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet001\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet001\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet001\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet001\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001c26db3bce (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001c26db3bce@6c9b02bb193e 0x64 0xA6 0x66 0xF8 ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001c26db3bce@c819f7b13871 0x95 0x2F 0x16 0xEE ... Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 47 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 2389426 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001c26db3bce Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001c26db3bce@6c9b02bb193e 0x64 0xA6 0x66 0xF8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001c26db3bce@c819f7b13871 0x95 0x2F 0x16 0xEE ... Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet003\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet003\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet003\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet003\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet003\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters@BootCounter 47 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters@TickCounter 2389426 Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet003\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet003\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet003\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet003\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet003\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet003\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet003\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet003\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\001c26db3bce (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\001c26db3bce@6c9b02bb193e 0x64 0xA6 0x66 0xF8 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\001c26db3bce@c819f7b13871 0x95 0x2F 0x16 0xEE ... ---- EOF - GMER 2.1 ----