GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-01-30 14:26:18 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST1000LM rev.2AR1 931,51GB Running: qx37e0vs.exe; Driver: C:\Users\Lenovo\AppData\Local\Temp\kfrdapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 000000014a3c0460 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 000000014a3c0450 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 000000014a3c0370 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 000000014a3c0470 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 000000014a3c03e0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 000000014a3c0320 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 000000014a3c03b0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 000000014a3c0390 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 000000014a3c02e0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 000000014a3c02d0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 000000014a3c0310 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 000000014a3c03c0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 000000014a3c03f0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 000000014a3c0230 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0xffffffffd2aae890} .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 000000014a3c0480 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 000000014a3c03a0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 000000014a3c02f0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 000000014a3c0350 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 000000014a3c0290 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 000000014a3c02b0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 000000014a3c03d0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 000000014a3c0330 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0xffffffffd2aae590} .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 000000014a3c0410 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 000000014a3c0240 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 000000014a3c01e0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 000000014a3c0250 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0xffffffffd2aae090} .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 000000014a3c0490 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 000000014a3c04a0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 000000014a3c0300 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 000000014a3c0360 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 000000014a3c02a0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 000000014a3c02c0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 000000014a3c0380 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 000000014a3c0340 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 000000014a3c0440 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 000000014a3c0260 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 000000014a3c0270 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 000000014a3c0400 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 000000014a3c01f0 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 000000014a3c0210 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 000000014a3c0200 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 000000014a3c0420 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 000000014a3c0430 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 000000014a3c0220 .text C:\Windows\system32\csrss.exe[676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 000000014a3c0280 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\wininit.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\system32\wininit.exe[808] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 000000014a3c0460 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 000000014a3c0450 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 000000014a3c0370 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 000000014a3c0470 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 000000014a3c03e0 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 000000014a3c0320 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 000000014a3c03b0 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 000000014a3c0390 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 000000014a3c02e0 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 000000014a3c02d0 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 000000014a3c0310 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 000000014a3c03c0 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 000000014a3c03f0 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 000000014a3c0230 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0xffffffffd2aae890} .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 000000014a3c0480 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 000000014a3c03a0 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 000000014a3c02f0 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 000000014a3c0350 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 000000014a3c0290 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 000000014a3c02b0 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 000000014a3c03d0 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 000000014a3c0330 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0xffffffffd2aae590} .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 000000014a3c0410 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 000000014a3c0240 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 000000014a3c01e0 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 000000014a3c0250 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0xffffffffd2aae090} .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 000000014a3c0490 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 000000014a3c04a0 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 000000014a3c0300 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 000000014a3c0360 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 000000014a3c02a0 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 000000014a3c02c0 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 000000014a3c0380 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 000000014a3c0340 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 000000014a3c0440 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 000000014a3c0260 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 000000014a3c0270 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 000000014a3c0400 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 000000014a3c01f0 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 000000014a3c0210 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 000000014a3c0200 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 000000014a3c0420 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 000000014a3c0430 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 000000014a3c0220 .text C:\Windows\system32\csrss.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 000000014a3c0280 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\system32\winlogon.exe[872] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\services.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\system32\services.exe[924] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\lsass.exe[932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\lsm.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\svchost.exe[184] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\system32\svchost.exe[184] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000100060460 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000100060450 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000100060370 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000100060470 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 00000001000603e0 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000100060320 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 00000001000603b0 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000100060390 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 00000001000602e0 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 00000001000602d0 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000100060310 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 00000001000603c0 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 00000001000603f0 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000100060230 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0xffffffff8874e890} .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000100060480 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 00000001000603a0 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 00000001000602f0 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000100060350 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000100060290 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 00000001000602b0 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 00000001000603d0 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000100060330 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0xffffffff8874e590} .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000100060410 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000100060240 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 00000001000601e0 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000100060250 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0xffffffff8874e090} .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000100060490 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 00000001000604a0 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000100060300 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000100060360 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 00000001000602a0 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 00000001000602c0 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000100060380 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000100060340 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000100060440 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000100060260 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000100060270 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000100060400 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 00000001000601f0 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000100060210 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000100060200 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000100060420 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000100060430 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000100060220 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000100060280 .text C:\Windows\system32\nvvsvc.exe[696] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\svchost.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\System32\svchost.exe[1084] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\system32\svchost.exe[1132] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\system32\svchost.exe[1412] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\system32\svchost.exe[1628] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1724] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62] .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1828] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\system32\svchost.exe[1964] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1212] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62] .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfaa0 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb38 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077abfc90 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0018 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ac1900 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077adc45a 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ae1217 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62] .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007682ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076833982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076837603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007683835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007684f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000769c5181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000769c5254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769c53d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769c54c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769c55e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000769c567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000769c589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe[2744] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000769c5a22 5 bytes JMP 0000000100260600 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778e3ae0 5 bytes JMP 000000010033075c .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778e7a90 5 bytes JMP 00000001003303a4 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911490 5 bytes JMP 0000000100330b14 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779114f0 5 bytes JMP 0000000100330ecc .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 000000010033163c .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077911810 5 bytes JMP 0000000100331284 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 00000001003319f4 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2772] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Windows\system32\svchost.exe[2808] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Windows\system32\svchost.exe[2808] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778e3ae0 5 bytes JMP 000000010048075c .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778e7a90 5 bytes JMP 00000001004803a4 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911490 5 bytes JMP 0000000100480b14 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779114f0 5 bytes JMP 0000000100480ecc .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 000000010048163c .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077911810 5 bytes JMP 0000000100481284 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 00000001004819f4 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Windows\system32\svchost.exe[2836] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfaa0 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb38 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077abfc90 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0018 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ac1900 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077adc45a 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ae1217 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007682ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076833982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076837603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007683835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007684f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000769c5181 5 bytes JMP 00000001002f1014 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000769c5254 5 bytes JMP 00000001002f0804 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769c53d5 5 bytes JMP 00000001002f0a08 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769c54c2 5 bytes JMP 00000001002f0c0c .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769c55e2 5 bytes JMP 00000001002f0e10 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000769c567c 5 bytes JMP 00000001002f01f8 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000769c589f 5 bytes JMP 00000001002f03fc .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2952] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000769c5a22 5 bytes JMP 00000001002f0600 .text C:\Windows\system32\svchost.exe[3604] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Windows\system32\svchost.exe[3604] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Windows\system32\svchost.exe[3604] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Windows\system32\svchost.exe[3604] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Windows\system32\svchost.exe[3604] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Windows\system32\svchost.exe[3604] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Windows\system32\svchost.exe[3604] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Windows\system32\svchost.exe[3604] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778e3ae0 5 bytes JMP 000000010011075c .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778e7a90 5 bytes JMP 00000001001103a4 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911490 5 bytes JMP 0000000100110b14 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779114f0 5 bytes JMP 0000000100110ecc .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 000000010011163c .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077911810 5 bytes JMP 0000000100111284 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 00000001001119f4 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe[3448] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778e3ae0 5 bytes JMP 000000010044075c .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778e7a90 5 bytes JMP 00000001004403a4 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911490 5 bytes JMP 0000000100440b14 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779114f0 5 bytes JMP 0000000100440ecc .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 000000010044163c .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077911810 5 bytes JMP 0000000100441284 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 00000001004419f4 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefe083460 7 bytes JMP 000007fffe0500d8 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefe089940 6 bytes JMP 000007fffe050148 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefe089fb0 5 bytes JMP 000007fffe050180 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefe08a150 5 bytes JMP 000007fffe050110 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff5089e0 8 bytes JMP 000007fffe0501f0 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff50be40 8 bytes JMP 000007fffe0501b8 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 000007fef8b0dc88 5 bytes JMP 000007fff8ae00d8 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 000007fef8b0de10 5 bytes JMP 000007fff8ae0110 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778e3ae0 5 bytes JMP 000000010021075c .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778e7a90 5 bytes JMP 00000001002103a4 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911490 5 bytes JMP 0000000100210b14 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779114f0 5 bytes JMP 0000000100210ecc .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 000000010021163c .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077911810 5 bytes JMP 0000000100211284 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 00000001002119f4 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\Explorer.EXE[2780] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Windows\Explorer.EXE[2780] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778e3ae0 5 bytes JMP 000000010039075c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778e7a90 5 bytes JMP 00000001003903a4 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000100070460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000100070450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911490 5 bytes JMP 0000000100390b14 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779114f0 5 bytes JMP 0000000100390ecc .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000100070370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000100070470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 000000010039163c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000100070320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 00000001000703b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000100070390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 00000001000702e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 00000001000702d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000100070310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 00000001000703c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077911810 5 bytes JMP 0000000100391284 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 00000001000703f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000100070230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0xffffffff8875e890} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000100070480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 00000001000703a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 00000001000702f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000100070350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000100070290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 00000001000702b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 00000001000703d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000100070330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0xffffffff8875e590} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000100070410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000100070240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 00000001000701e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000100070250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0xffffffff8875e090} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000100070490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 00000001000704a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000100070300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000100070360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 00000001000702a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 00000001000702c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000100070380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000100070340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000100070440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000100070260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000100070270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 00000001003919f4 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 00000001000701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000100070210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000100070200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000100070420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000100070430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000100070220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000100070280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\system32\KERNEL32.dll!K32GetMappedFileNameW 00000000775cefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\system32\KERNEL32.dll!K32EnumProcessModulesEx 00000000775f99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\system32\KERNEL32.dll!K32GetModuleInformation 00000000776094d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\system32\KERNEL32.dll!K32GetModuleFileNameExW 0000000077609640 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\system32\KERNEL32.dll!RegSetValueExA 000000007762a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefe083460 7 bytes JMP 000007fffe0500d8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefe089940 6 bytes JMP 000007fffe050148 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefe089fb0 5 bytes JMP 000007fffe050180 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefe08a150 5 bytes JMP 000007fffe050110 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff5089e0 8 bytes JMP 000007fffe0501f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff50be40 8 bytes JMP 000007fffe0501b8 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff137490 11 bytes JMP 000007fffe050228 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3876] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff14bf00 7 bytes JMP 000007fffe050260 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778e3ae0 5 bytes JMP 000000010016075c .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778e7a90 5 bytes JMP 00000001001603a4 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911490 5 bytes JMP 0000000100160b14 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779114f0 5 bytes JMP 0000000100160ecc .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 000000010016163c .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077911810 5 bytes JMP 0000000100161284 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 00000001001619f4 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Windows\system32\nvvsvc.exe[3616] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778e3ae0 5 bytes JMP 000000010014075c .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778e7a90 5 bytes JMP 00000001001403a4 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911490 5 bytes JMP 0000000100140b14 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779114f0 5 bytes JMP 0000000100140ecc .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 000000010014163c .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077911810 5 bytes JMP 0000000100141284 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 00000001001419f4 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Windows\system32\taskhost.exe[1540] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077abfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ac1900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077adc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ae1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000769c5181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000769c5254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769c53d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769c54c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769c55e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000769c567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000769c589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000769c5a22 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007682ee09 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076833982 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076837603 5 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007683835c 5 bytes JMP 00000001000b0600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2016] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007684f52b 5 bytes JMP 00000001000b0a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077abfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ac1900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077adc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ae1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000769c5181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000769c5254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769c53d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769c54c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769c55e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000769c567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000769c589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000769c5a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007682ee09 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076833982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076837603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007683835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[2688] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007684f52b 5 bytes JMP 0000000100110a08 .text C:\Windows\System32\svchost.exe[2632] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Windows\System32\svchost.exe[2632] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Windows\System32\svchost.exe[2632] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Windows\System32\svchost.exe[2632] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Windows\System32\svchost.exe[2632] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Windows\System32\svchost.exe[2632] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Windows\System32\svchost.exe[2632] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Windows\System32\svchost.exe[2632] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1328] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778e3ae0 5 bytes JMP 000000010027075c .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778e7a90 5 bytes JMP 00000001002703a4 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911490 5 bytes JMP 0000000100270b14 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779114f0 5 bytes JMP 0000000100270ecc .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 000000010027163c .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077911810 5 bytes JMP 0000000100271284 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 00000001002719f4 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Windows\system32\SearchIndexer.exe[1020] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778e3ae0 5 bytes JMP 00000001002b075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778e7a90 5 bytes JMP 00000001002b03a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000100070460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000100070450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911490 5 bytes JMP 00000001002b0b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779114f0 5 bytes JMP 00000001002b0ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000100070370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000100070470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 00000001002b163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000100070320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 00000001000703b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000100070390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 00000001000702e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 00000001000702d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000100070310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 00000001000703c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077911810 5 bytes JMP 00000001002b1284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 00000001000703f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000100070230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0xffffffff8875e890} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000100070480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 00000001000703a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 00000001000702f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000100070350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000100070290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 00000001000702b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 00000001000703d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000100070330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0xffffffff8875e590} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000100070410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000100070240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 00000001000701e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000100070250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0xffffffff8875e090} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000100070490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 00000001000704a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000100070300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000100070360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 00000001000702a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 00000001000702c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000100070380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000100070340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000100070440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000100070260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000100070270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 00000001002b19f4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 00000001000701f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000100070210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000100070200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000100070420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000100070430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000100070220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000100070280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\system32\KERNEL32.dll!K32GetMappedFileNameW 00000000775cefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\system32\KERNEL32.dll!K32EnumProcessModulesEx 00000000775f99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\system32\KERNEL32.dll!K32GetModuleInformation 00000000776094d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\system32\KERNEL32.dll!K32GetModuleFileNameExW 0000000077609640 5 bytes JMP 000000016fff0110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\system32\KERNEL32.dll!RegSetValueExA 000000007762a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefe083460 7 bytes JMP 000007fffe0500d8 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefe089940 6 bytes JMP 000007fffe050148 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefe089fb0 5 bytes JMP 000007fffe050180 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefe08a150 5 bytes JMP 000007fffe050110 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff5089e0 8 bytes JMP 000007fffe0501f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4136] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff50be40 8 bytes JMP 000007fffe0501b8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077abfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ac1900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077adc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ae1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000769c5181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000769c5254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769c53d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769c54c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769c55e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000769c567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000769c589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000769c5a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007682ee09 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076833982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076837603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007683835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4832] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007684f52b 5 bytes JMP 0000000100110a08 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778e3ae0 5 bytes JMP 000000010028075c .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778e7a90 5 bytes JMP 00000001002803a4 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911490 5 bytes JMP 0000000100280b14 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779114f0 5 bytes JMP 0000000100280ecc .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 000000010028163c .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077911810 5 bytes JMP 0000000100281284 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0xffffffff8875e890} .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0xffffffff8875e590} .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0xffffffff8875e090} .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 00000001002819f4 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Windows\System32\svchost.exe[5108] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778e3ae0 5 bytes JMP 000000010034075c .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778e7a90 5 bytes JMP 00000001003403a4 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911490 5 bytes JMP 0000000100340b14 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779114f0 5 bytes JMP 0000000100340ecc .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 000000010034163c .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077911810 5 bytes JMP 0000000100341284 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 00000001003419f4 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\system32\KERNEL32.dll!K32GetMappedFileNameW 00000000775cefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\system32\KERNEL32.dll!K32EnumProcessModulesEx 00000000775f99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\system32\KERNEL32.dll!K32GetModuleInformation 00000000776094d0 5 bytes JMP 000000016fff0180 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\system32\KERNEL32.dll!K32GetModuleFileNameExW 0000000077609640 5 bytes JMP 000000016fff0110 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\system32\KERNEL32.dll!RegSetValueExA 000000007762a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefe083460 7 bytes JMP 000007fffe0500d8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefe089940 6 bytes JMP 000007fffe050148 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefe089fb0 5 bytes JMP 000007fffe050180 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefe08a150 5 bytes JMP 000007fffe050110 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff5089e0 8 bytes JMP 000007fffe0501f0 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff50be40 8 bytes JMP 000007fffe0501b8 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Program Files (x86)\Lenovo\Energy Management\utility.exe[1000] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778e3ae0 5 bytes JMP 00000001001e075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778e7a90 5 bytes JMP 00000001001e03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911490 5 bytes JMP 00000001001e0b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779114f0 5 bytes JMP 00000001001e0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 00000001001e163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077911810 5 bytes JMP 00000001001e1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 00000001001e19f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\system32\KERNEL32.dll!K32GetMappedFileNameW 00000000775cefe0 5 bytes JMP 000000016fff0148 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\system32\KERNEL32.dll!K32EnumProcessModulesEx 00000000775f99b0 7 bytes JMP 000000016fff00d8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\system32\KERNEL32.dll!K32GetModuleInformation 00000000776094d0 5 bytes JMP 000000016fff0180 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\system32\KERNEL32.dll!K32GetModuleFileNameExW 0000000077609640 5 bytes JMP 000000016fff0110 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\system32\KERNEL32.dll!RegSetValueExA 000000007762a500 7 bytes JMP 000000016fff01b8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefe083460 7 bytes JMP 000007fffe0500d8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefe089940 6 bytes JMP 000007fffe050148 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefe089fb0 5 bytes JMP 000007fffe050180 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefe08a150 5 bytes JMP 000007fffe050110 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff5089e0 8 bytes JMP 000007fffe0501f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3696] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff50be40 8 bytes JMP 000007fffe0501b8 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4420] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62] .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077abfaa0 5 bytes JMP 0000000100030600 .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077abfb38 5 bytes JMP 0000000100030804 .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077abfc90 5 bytes JMP 0000000100030c0c .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0018 5 bytes JMP 0000000100030a08 .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ac1900 5 bytes JMP 0000000100030e10 .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077adc45a 5 bytes JMP 00000001000301f8 .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077ae1217 5 bytes JMP 00000001000303fc .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62] .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007682ee09 5 bytes JMP 00000001002401f8 .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076833982 5 bytes JMP 00000001002403fc .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076837603 5 bytes JMP 0000000100240804 .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007683835c 5 bytes JMP 0000000100240600 .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007684f52b 5 bytes JMP 0000000100240a08 .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000769c5181 5 bytes JMP 0000000100261014 .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000769c5254 5 bytes JMP 0000000100260804 .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769c53d5 5 bytes JMP 0000000100260a08 .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769c54c2 5 bytes JMP 0000000100260c0c .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769c55e2 5 bytes JMP 0000000100260e10 .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000769c567c 5 bytes JMP 00000001002601f8 .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000769c589f 5 bytes JMP 00000001002603fc .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000769c5a22 5 bytes JMP 0000000100260600 .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000075721465 2 bytes [72, 75] .text C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe[1336] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000757214bb 2 bytes [72, 75] .text ... * 2 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778e3ae0 5 bytes JMP 000000010023075c .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778e7a90 5 bytes JMP 00000001002303a4 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911490 5 bytes JMP 0000000100230b14 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779114f0 5 bytes JMP 0000000100230ecc .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 000000010023163c .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077911810 5 bytes JMP 0000000100231284 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0xffffffff8875e890} .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0xffffffff8875e590} .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0xffffffff8875e090} .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 00000001002319f4 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\system32\KERNEL32.dll!K32GetMappedFileNameW 00000000775cefe0 5 bytes JMP 000000016fff0148 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\system32\KERNEL32.dll!K32EnumProcessModulesEx 00000000775f99b0 7 bytes JMP 000000016fff00d8 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\system32\KERNEL32.dll!K32GetModuleInformation 00000000776094d0 5 bytes JMP 000000016fff0180 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\system32\KERNEL32.dll!K32GetModuleFileNameExW 0000000077609640 5 bytes JMP 000000016fff0110 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\system32\KERNEL32.dll!RegSetValueExA 000000007762a500 7 bytes JMP 000000016fff01b8 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefe083460 7 bytes JMP 000007fffe0500d8 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefe089940 6 bytes JMP 000007fffe050148 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefe089fb0 5 bytes JMP 000007fffe050180 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefe08a150 5 bytes JMP 000007fffe050110 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\system32\ole32.dll!CoCreateInstance 000007feff137490 11 bytes JMP 000007fffe050228 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007feff14bf00 7 bytes JMP 000007fffe050260 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007feff5089e0 8 bytes JMP 000007fffe0501f0 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007feff50be40 8 bytes JMP 000007fffe0501b8 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Windows\system32\wuauclt.exe[5140] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Windows\system32\WLANExt.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000778e3ae0 5 bytes JMP 000000010027075c .text C:\Windows\system32\WLANExt.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000778e7a90 5 bytes JMP 00000001002703a4 .text C:\Windows\system32\WLANExt.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077911490 5 bytes JMP 0000000100270b14 .text C:\Windows\system32\WLANExt.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779114f0 5 bytes JMP 0000000100270ecc .text C:\Windows\system32\WLANExt.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 000000010027163c .text C:\Windows\system32\WLANExt.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077911810 5 bytes JMP 0000000100271284 .text C:\Windows\system32\WLANExt.exe[4812] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 00000001002719f4 .text C:\Windows\system32\WLANExt.exe[4812] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Windows\system32\WLANExt.exe[4812] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Windows\system32\WLANExt.exe[4812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Windows\system32\WLANExt.exe[4812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Windows\system32\WLANExt.exe[4812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Windows\system32\WLANExt.exe[4812] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Windows\system32\WLANExt.exe[4812] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Windows\system32\WLANExt.exe[4812] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Windows\system32\WLANExt.exe[4812] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Windows\system32\conhost.exe[5432] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feffbb6e00 5 bytes JMP 000007ff7fbd1dac .text C:\Windows\system32\conhost.exe[5432] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feffbb6f2c 5 bytes JMP 000007ff7fbd0ecc .text C:\Windows\system32\conhost.exe[5432] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feffbb7220 5 bytes JMP 000007ff7fbd1284 .text C:\Windows\system32\conhost.exe[5432] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feffbb739c 5 bytes JMP 000007ff7fbd163c .text C:\Windows\system32\conhost.exe[5432] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feffbb7538 5 bytes JMP 000007ff7fbd19f4 .text C:\Windows\system32\conhost.exe[5432] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feffbb75e8 5 bytes JMP 000007ff7fbd03a4 .text C:\Windows\system32\conhost.exe[5432] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feffbb790c 5 bytes JMP 000007ff7fbd075c .text C:\Windows\system32\conhost.exe[5432] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feffbb7ab4 5 bytes JMP 000007ff7fbd0b14 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779113c0 5 bytes JMP 0000000077a70460 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077911410 5 bytes JMP 0000000077a70450 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077911570 5 bytes JMP 0000000077a70370 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779115c0 5 bytes JMP 0000000077a70470 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779115d0 5 bytes JMP 0000000077a703e0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077911680 5 bytes JMP 0000000077a70320 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779116b0 5 bytes JMP 0000000077a703b0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779116d0 5 bytes JMP 0000000077a70390 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077911710 5 bytes JMP 0000000077a702e0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077911790 5 bytes JMP 0000000077a702d0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779117b0 5 bytes JMP 0000000077a70310 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779117f0 5 bytes JMP 0000000077a703c0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077911840 5 bytes JMP 0000000077a703f0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779119a0 1 byte JMP 0000000077a70230 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077911b60 5 bytes JMP 0000000077a70480 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077911b90 5 bytes JMP 0000000077a703a0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077911c70 5 bytes JMP 0000000077a702f0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077911c80 5 bytes JMP 0000000077a70350 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077911ce0 5 bytes JMP 0000000077a70290 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077911d70 5 bytes JMP 0000000077a702b0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077911d90 5 bytes JMP 0000000077a703d0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077911da0 1 byte JMP 0000000077a70330 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077911da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077911e10 5 bytes JMP 0000000077a70410 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077911e40 5 bytes JMP 0000000077a70240 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077912100 5 bytes JMP 0000000077a701e0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779121c0 1 byte JMP 0000000077a70250 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779121f0 5 bytes JMP 0000000077a70490 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077912200 5 bytes JMP 0000000077a704a0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077912230 5 bytes JMP 0000000077a70300 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077912240 5 bytes JMP 0000000077a70360 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779122a0 5 bytes JMP 0000000077a702a0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779122f0 5 bytes JMP 0000000077a702c0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077912320 5 bytes JMP 0000000077a70380 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077912330 5 bytes JMP 0000000077a70340 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077912620 5 bytes JMP 0000000077a70440 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077912820 5 bytes JMP 0000000077a70260 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077912830 5 bytes JMP 0000000077a70270 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077912840 5 bytes JMP 0000000077a70400 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077912a00 5 bytes JMP 0000000077a701f0 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077912a10 5 bytes JMP 0000000077a70210 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077912a80 5 bytes JMP 0000000077a70200 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077912ae0 5 bytes JMP 0000000077a70420 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077912af0 5 bytes JMP 0000000077a70430 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077912b00 5 bytes JMP 0000000077a70220 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077912be0 5 bytes JMP 0000000077a70280 .text C:\Windows\system32\AUDIODG.EXE[1656] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 00000000775eeecd 1 byte [62] .text C:\Users\Lenovo\Downloads\qx37e0vs.exe[5844] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000757aa30a 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2032] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:1400] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:1696] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:1128] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:1736] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2052] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2056] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2060] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2064] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2068] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2072] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2076] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2080] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2084] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2088] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2092] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2096] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2100] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2104] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2108] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2112] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2188] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2192] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2204] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2216] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2220] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2224] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2228] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2236] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2240] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2244] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2264] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2276] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2280] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2284] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2288] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2292] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2296] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2300] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2304] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2308] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2316] 0000000074273810 Thread C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [1516:2684] 0000000074273810 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3752:4024] 00000000769c7587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3752:3688] 00000000723a758a Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3752:3660] 0000000077af2e25 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3752:1852] 0000000077af3e45 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3752:4256] 0000000077af3e45 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3752:5044] 0000000077af3e45 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1328:3028] 000007feff120168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1328:2960] 000007fefbf92a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1328:3768] 000007fef4f5d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1328:4292] 000007fef4675124 ---- Processes - GMER 2.1 ---- Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [1336](2014-01-03 00:45:04) 0000000003d90000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\libcef.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [1336](2013-10-18 23:55:02) 0000000065ca0000 Library C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\icudt.dll (*** suspicious ***) @ C:\Users\Lenovo\AppData\Roaming\Dropbox\bin\Dropbox.exe [1336] (ICU Data DLL/The ICU Project)(2013-10-18 23:55:00) 0000000065310000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{1A569E1B-4F12-4E4B-8331-37F6A9E0C8EA}\Connection@Name isatap.{3CC20FC3-E2F7-4694-9E66-57FC9DE177F6} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{01D6FEA9-3A7F-48A6-8299-4AA5CBA357DD}?\Device\{1A569E1B-4F12-4E4B-8331-37F6A9E0C8EA}?\Device\{8FDE83C6-3E0A-4615-94B4-6FAD3D7B7C5E}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{01D6FEA9-3A7F-48A6-8299-4AA5CBA357DD}"?"{1A569E1B-4F12-4E4B-8331-37F6A9E0C8EA}"?"{8FDE83C6-3E0A-4615-94B4-6FAD3D7B7C5E}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{01D6FEA9-3A7F-48A6-8299-4AA5CBA357DD}?\Device\TCPIP6TUNNEL_{1A569E1B-4F12-4E4B-8331-37F6A9E0C8EA}?\Device\TCPIP6TUNNEL_{8FDE83C6-3E0A-4615-94B4-6FAD3D7B7C5E}? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 271 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 3129792 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689dc48669 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0143dcd086c Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{1A569E1B-4F12-4E4B-8331-37F6A9E0C8EA}@InterfaceName isatap.{3CC20FC3-E2F7-4694-9E66-57FC9DE177F6} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{1A569E1B-4F12-4E4B-8331-37F6A9E0C8EA}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Teredo\PreviousState\24-76-7d-39-06-c3@ClientLocalPort 61624 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Teredo\PreviousState\24-76-7d-39-06-c3@TeredoAddress 2001:0:9d38:6abd:88b:f47:c1ea:ba07 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 11550 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 271 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 3129792 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition1\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689dc48669 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0143dcd086c (not active ControlSet) ---- EOF - GMER 2.1 ----