GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-06 21:38:36 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 KINGSTON_SV300S37A60G rev.505ABBF1 55,90GB Running: uey4cluu.exe; Driver: C:\Users\Ania\AppData\Local\Temp\kxldqpob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff9600023b600 15 bytes [00, F8, 09, 02, 80, 32, 72, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff9600023b610 11 bytes [00, BC, FB, FF, 00, 77, B2, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\System32\smss.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\system32\csrss.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\system32\wininit.exe[492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\wininit.exe[492] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\winlogon.exe[556] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\services.exe[572] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\system32\svchost.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\svchost.exe[660] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\system32\svchost.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\svchost.exe[692] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\system32\dwm.exe[796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\dwm.exe[796] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\system32\dwm.exe[796] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffb6e63169a 4 bytes [63, 6E, FB, 7F] .text C:\Windows\system32\dwm.exe[796] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffb6e6316a2 4 bytes [63, 6E, FB, 7F] .text C:\Windows\system32\dwm.exe[796] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffb6e63181a 4 bytes [63, 6E, FB, 7F] .text C:\Windows\system32\dwm.exe[796] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffb6e631832 4 bytes [63, 6E, FB, 7F] .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\System32\svchost.exe[428] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\System32\svchost.exe[428] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\system32\svchost.exe[484] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\system32\svchost.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\svchost.exe[688] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\System32\svchost.exe[976] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\System32\spoolsv.exe[1320] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\svchost.exe[1368] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\svchost.exe[1532] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\dashost.exe[2196] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\svchost.exe[2264] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\Explorer.EXE[2492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\Explorer.EXE[2492] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\Explorer.EXE[2492] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffb6e63169a 4 bytes [63, 6E, FB, 7F] .text C:\Windows\Explorer.EXE[2492] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffb6e6316a2 4 bytes [63, 6E, FB, 7F] .text C:\Windows\Explorer.EXE[2492] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffb6e63181a 4 bytes [63, 6E, FB, 7F] .text C:\Windows\Explorer.EXE[2492] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffb6e631832 4 bytes [63, 6E, FB, 7F] .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\taskhostex.exe[2500] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffb7052ac30 5 bytes JMP 00007ffbf0650460 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffb7052ac80 5 bytes JMP 00007ffbf0650450 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffb7052ade0 1 byte JMP 00007ffbf0650370 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 2 00007ffb7052ade2 3 bytes {JMP 0xffffffff80125590} .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffb7052ae30 5 bytes JMP 00007ffbf0650470 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffb7052ae40 5 bytes JMP 00007ffbf06503e0 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffb7052aef0 5 bytes JMP 00007ffbf0650320 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffb7052af20 1 byte JMP 00007ffbf06503b0 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 2 00007ffb7052af22 3 bytes {JMP 0xffffffff80125490} .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffb7052af40 5 bytes JMP 00007ffbf0650390 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffb7052af80 5 bytes JMP 00007ffbf06502e0 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffb7052b000 5 bytes JMP 00007ffbf06502d0 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffb7052b020 5 bytes JMP 00007ffbf0650310 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffb7052b060 5 bytes JMP 00007ffbf06503c0 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffb7052b0b0 5 bytes JMP 00007ffbf06503f0 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffb7052b210 5 bytes JMP 00007ffbf0650230 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffb7052b400 5 bytes JMP 00007ffbf0650480 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffb7052b430 5 bytes JMP 00007ffbf06503a0 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffb7052b550 5 bytes JMP 00007ffbf06502f0 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffb7052b570 5 bytes JMP 00007ffbf0650350 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffb7052b5e0 5 bytes JMP 00007ffbf0650290 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffb7052b670 5 bytes JMP 00007ffbf06502b0 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffb7052b690 5 bytes JMP 00007ffbf06503d0 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffb7052b6a0 1 byte JMP 00007ffbf0650330 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00007ffb7052b6a2 3 bytes {JMP 0xffffffff80124c90} .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffb7052b750 5 bytes JMP 00007ffbf0650410 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffb7052b780 5 bytes JMP 00007ffbf0650240 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffb7052baa0 5 bytes JMP 00007ffbf06501e0 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffb7052bb60 5 bytes JMP 00007ffbf0650250 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffb7052bb90 5 bytes JMP 00007ffbf0650490 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffb7052bba0 5 bytes JMP 00007ffbf06504a0 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffb7052bbd0 5 bytes JMP 00007ffbf0650300 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffb7052bbe0 5 bytes JMP 00007ffbf0650360 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffb7052bc40 5 bytes JMP 00007ffbf06502a0 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffb7052bc90 5 bytes JMP 00007ffbf06502c0 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffb7052bcc0 5 bytes JMP 00007ffbf0650380 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffb7052bcd0 5 bytes JMP 00007ffbf0650340 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffb7052bfe0 5 bytes JMP 00007ffbf0650440 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffb7052c1e0 5 bytes JMP 00007ffbf0650260 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffb7052c1f0 5 bytes JMP 00007ffbf0650270 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffb7052c210 5 bytes JMP 00007ffbf0650400 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffb7052c3f0 5 bytes JMP 00007ffbf06501f0 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffb7052c400 5 bytes JMP 00007ffbf0650210 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffb7052c490 5 bytes JMP 00007ffbf0650200 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffb7052c500 5 bytes JMP 00007ffbf0650420 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffb7052c510 5 bytes JMP 00007ffbf0650430 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffb7052c520 5 bytes JMP 00007ffbf0650220 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffb7052c630 5 bytes JMP 00007ffbf0650280 .text C:\Windows\system32\SearchIndexer.exe[2472] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[3624] C:\Windows\SYSTEM32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffb6e50553d 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [500:524] fffff96000927b90 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xDF 0x0E 0x39 0x8B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x05 0x61 0x93 0x75 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0xDF 0x0E 0x39 0x8B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0xC1 0xE9 0x93 0x75 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 45 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SAM03E5H9XS155681_05_07D9_42^13EEA566EAA58DF3AA80ABA62F3837E3@Timestamp 0xFC 0x92 0x04 0x8C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 604 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\ProgramData\DataMngr\stats.cfg??\??\C:\Program Files (x86)\iSafe\NVD??\??\C:\Users\Ania\AppData\Local\Temp\_@482A.tmp??\??\C:\Users\Ania\AppData\Local\Temp\_@482B.tmp??\??\C:\Users\Ania\AppData\Local\Temp\_@483C.tmp??\??\C:\Users\Ania\AppData\Local\Temp\_@483D.tmp??\??\C:\Users\Ania\AppData\Local\Temp\_@484E.tmp??\??\C:\Users\Ania\AppData\Local\Temp\_@484F.tmp??\??\C:\Users\Ania\AppData\Local\Temp\_@4850.tmp??\??\C:\Users\Ania\AppData\Local\Temp\_@4860.tmp??\??\C:\Users\Ania\AppData\Local\Temp\_@4861.tmp??\??\C:\Users\Ania\AppData\Local\Temp\_@4862.tmp??\??\C:\Users\Ania\AppData\Local\Temp\_@4863.tmp??\??\C:\Users\Ania\AppData\Local\Temp\_@4874.tmp??\??\C:\Users\Ania\AppData\Local\Temp\_@4875.tmp??\??\C:\Users\Ania\AppData\Local\Temp\_@4876.tmp??\??\C:\Users\Ania\AppData\Local\Temp\_@4877.tmp??\??\C:\Users\Ania\AppData\Local\Temp\_@4888.tmp?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900026 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -889271558 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 49 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 418987780 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 20294 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID c4ee1afe-b786-4be1-b62a-26d20aa Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters@BootCounter 38 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{50f7ce83-f34b-4bc2-91a4-2ca5a11dde77}@LastProbeTime 1407357915 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2356 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 505 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 46 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AAF667B2-9DB9-4B4E-B9C7-A9B6764DDCDE}@LeaseObtainedTime 1407350714 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AAF667B2-9DB9-4B4E-B9C7-A9B6764DDCDE}@T1 1407393914 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AAF667B2-9DB9-4B4E-B9C7-A9B6764DDCDE}@T2 1407426314 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AAF667B2-9DB9-4B4E-B9C7-A9B6764DDCDE}@LeaseTerminatesTime 1407437114 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced@Hidden 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce@Report C:\AdwCleaner\AdwCleaner[S1].txt ---- EOF - GMER 2.1 ----