GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-22 21:37:03 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\0000005c SAMSUNG_ rev.2AJ1 298,09GB Running: vb6lkxyd.exe; Driver: C:\Users\Piotrek\AppData\Local\Temp\afpiypog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\wininit.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\wininit.exe[468] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 000000014a120460 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 000000014a120450 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 000000014a120370 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 000000014a120470 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 000000014a1203e0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 000000014a120320 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 000000014a1203b0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 000000014a120390 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 000000014a1202e0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 000000014a1202d0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 000000014a120310 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 000000014a1203c0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 000000014a1203f0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 000000014a120230 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 000000014a120480 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 000000014a1203a0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 000000014a1202f0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 000000014a120350 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 000000014a120290 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 000000014a1202b0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 000000014a1203d0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 000000014a120330 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 000000014a120410 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 000000014a120240 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 000000014a1201e0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 000000014a120250 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 000000014a120490 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 000000014a1204a0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 000000014a120300 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 000000014a120360 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 000000014a1202a0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 000000014a1202c0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 000000014a120380 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 000000014a120340 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 000000014a120440 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 000000014a120260 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 000000014a120270 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 000000014a120400 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 000000014a1201f0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 000000014a120210 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 000000014a120200 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 000000014a120420 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 000000014a120430 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 000000014a120220 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 000000014a120280 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 0000000100070230 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 0000000100070330 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 0000000100070250 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsass.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 0000000100070280 .text C:\Windows\system32\lsass.exe[552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 0000000100070230 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 0000000100070330 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 0000000100070250 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsm.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\svchost.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\svchost.exe[672] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\winlogon.exe[848] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\System32\svchost.exe[960] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\System32\svchost.exe[960] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\System32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\svchost.exe[1020] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\svchost.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\svchost.exe[768] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\atieclxx.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\svchost.exe[1164] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\Dwm.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\Explorer.EXE[1392] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\Explorer.EXE[1392] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 0000000100070370 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 0000000100070470 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 0000000100070320 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 0000000100070390 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 0000000100070310 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 0000000100070230 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 0000000100070480 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 0000000100070350 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 0000000100070290 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 0000000100070330 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 0000000100070250 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 0000000100070490 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 0000000100070200 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 0000000100070420 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 0000000100070430 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 0000000100070280 .text C:\Windows\System32\spoolsv.exe[1696] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\svchost.exe[1728] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\taskhost.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007568b0c5 1 byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe[1976] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\svchost.exe[1556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\System32\svchost.exe[1612] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2116] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\taskeng.exe[2340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2628] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 000000007566d03c 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2628] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007568b0c5 1 byte [62] .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 0000000100070370 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 0000000100070470 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 0000000100070320 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 0000000100070390 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 0000000100070310 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 0000000100070230 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 0000000100070480 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 0000000100070350 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 0000000100070290 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 0000000100070330 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 0000000100070250 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 0000000100070490 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 0000000100070200 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 0000000100070420 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 0000000100070430 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 0000000100070280 .text C:\Windows\system32\SearchIndexer.exe[2956] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3204] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\System32\svchost.exe[3836] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[2604] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\servicing\TrustedInstaller.exe[2648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\wuauclt.exe[2896] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007726ff60 5 bytes JMP 00000000773d0460 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007726ffb0 5 bytes JMP 00000000773d0450 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077270110 5 bytes JMP 00000000773d0370 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077270160 5 bytes JMP 00000000773d0470 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077270170 5 bytes JMP 00000000773d03e0 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077270220 5 bytes JMP 00000000773d0320 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077270250 5 bytes JMP 00000000773d03b0 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077270270 5 bytes JMP 00000000773d0390 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000772702b0 5 bytes JMP 00000000773d02e0 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077270330 5 bytes JMP 00000000773d02d0 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077270350 5 bytes JMP 00000000773d0310 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077270390 5 bytes JMP 00000000773d03c0 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000772703e0 5 bytes JMP 00000000773d03f0 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077270540 5 bytes JMP 00000000773d0230 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077270700 5 bytes JMP 00000000773d0480 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077270730 5 bytes JMP 00000000773d03a0 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077270810 5 bytes JMP 00000000773d02f0 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077270820 5 bytes JMP 00000000773d0350 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077270880 5 bytes JMP 00000000773d0290 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077270910 5 bytes JMP 00000000773d02b0 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077270930 5 bytes JMP 00000000773d03d0 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077270940 5 bytes JMP 00000000773d0330 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000772709b0 5 bytes JMP 00000000773d0410 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000772709e0 5 bytes JMP 00000000773d0240 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077270ca0 5 bytes JMP 00000000773d01e0 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077270d60 5 bytes JMP 00000000773d0250 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077270d90 5 bytes JMP 00000000773d0490 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077270da0 5 bytes JMP 00000000773d04a0 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077270dd0 5 bytes JMP 00000000773d0300 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077270de0 5 bytes JMP 00000000773d0360 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077270e40 5 bytes JMP 00000000773d02a0 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077270e90 5 bytes JMP 00000000773d02c0 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077270ec0 5 bytes JMP 00000000773d0380 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077270ed0 5 bytes JMP 00000000773d0340 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000772711c0 5 bytes JMP 00000000773d0440 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000772713c0 5 bytes JMP 00000000773d0260 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000772713d0 5 bytes JMP 00000000773d0270 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000772713e0 5 bytes JMP 00000000773d0400 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000772715a0 5 bytes JMP 00000000773d01f0 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000772715b0 5 bytes JMP 00000000773d0210 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077271620 5 bytes JMP 00000000773d0200 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077271680 5 bytes JMP 00000000773d0420 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077271690 5 bytes JMP 00000000773d0430 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000772716a0 5 bytes JMP 00000000773d0220 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077271780 5 bytes JMP 00000000773d0280 .text C:\Windows\system32\taskhost.exe[4896] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007705f1bd 1 byte [62] .text C:\Users\Piotrek\Downloads\vb6lkxyd.exe[2436] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007568b0c5 1 byte [62] ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1612:2320] 000007fef6089688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components\TrustedInstaller@Events ---- EOF - GMER 2.1 ----