GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-06 23:15:23 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 Hitachi_HTS542516K9A300 rev.BBCOC3MP 149,05GB Running: y5tld4ix.exe; Driver: C:\Users\KiL\AppData\Local\Temp\uwldqpow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031f4000 16 bytes [8B, E3, 41, 5F, 41, 5E, 41, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 545 fffff800031f4011 35 bytes {LEA ECX, [RSP+0x70]; CALL 0x3d64f} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 000000014a410460 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 000000014a410450 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 000000014a410370 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 000000014a410470 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 000000014a4103e0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 000000014a410320 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 000000014a4103b0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 000000014a410390 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 000000014a4102e0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 000000014a4102d0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 000000014a410310 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 000000014a4103c0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 000000014a4103f0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 000000014a410230 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 000000014a410480 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 000000014a4103a0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 000000014a4102f0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 000000014a410350 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 000000014a410290 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 000000014a4102b0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 000000014a4103d0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 000000014a410330 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 000000014a410410 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 000000014a410240 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 000000014a4101e0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 000000014a410250 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 000000014a410490 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 000000014a4104a0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 000000014a410300 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 000000014a410360 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 000000014a4102a0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 000000014a4102c0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 000000014a410380 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 000000014a410340 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 000000014a410440 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 000000014a410260 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 000000014a410270 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 000000014a410400 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 000000014a4101f0 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 000000014a410210 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 000000014a410200 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 000000014a410420 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 000000014a410430 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 000000014a410220 .text C:\Windows\system32\csrss.exe[440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 000000014a410280 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707ef8d 1 byte [62] .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 000000014a410460 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 000000014a410450 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 000000014a410370 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 000000014a410470 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 000000014a4103e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 000000014a410320 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 000000014a4103b0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 000000014a410390 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 000000014a4102e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 000000014a4102d0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 000000014a410310 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 000000014a4103c0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 000000014a4103f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 000000014a410230 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 000000014a410480 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 000000014a4103a0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 000000014a4102f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 000000014a410350 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 000000014a410290 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 000000014a4102b0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 000000014a4103d0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 000000014a410330 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 000000014a410410 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 000000014a410240 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 000000014a4101e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 000000014a410250 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 000000014a410490 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 000000014a4104a0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 000000014a410300 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 000000014a410360 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 000000014a4102a0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 000000014a4102c0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 000000014a410380 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 000000014a410340 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 000000014a410440 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 000000014a410260 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 000000014a410270 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 000000014a410400 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 000000014a4101f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 000000014a410210 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 000000014a410200 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 000000014a410420 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 000000014a410430 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 000000014a410220 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 000000014a410280 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\system32\services.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\system32\services.exe[568] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707ef8d 1 byte [62] .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\system32\lsass.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\system32\winlogon.exe[636] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\system32\atiesrxx.exe[896] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707ef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\System32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\System32\svchost.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\System32\svchost.exe[236] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\system32\svchost.exe[348] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[524] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707ef8d 1 byte [62] .text C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\STacSV64.exe[832] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707ef8d 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\system32\atieclxx.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\system32\svchost.exe[1340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\Dwm.exe[1652] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 0000000100070280 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\Explorer.EXE[1676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\Explorer.EXE[1676] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707ef8d 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\System32\spoolsv.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\system32\taskhost.exe[1748] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\system32\svchost.exe[1812] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe[1976] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 0000000100070280 .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[1160] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707ef8d 1 byte [62] .text C:\Program Files\IDT\WDM\sttray64.exe[2940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707ef8d 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2964] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007707ef8d 1 byte [62] .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\system32\DllHost.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Program Files (x86)\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe[2464] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000767ca2fd 1 byte [62] .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe[2456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\system32\SearchIndexer.exe[2076] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3316] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000767ca2fd 1 byte [62] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[3332] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000767ca2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3356] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000767a8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3356] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000767ca2fd 1 byte [62] .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\System32\svchost.exe[3380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077191360 5 bytes JMP 00000000772f0460 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000771913b0 5 bytes JMP 00000000772f0450 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077191510 5 bytes JMP 00000000772f0370 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077191560 5 bytes JMP 00000000772f0470 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077191570 5 bytes JMP 00000000772f03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077191620 5 bytes JMP 00000000772f0320 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077191650 5 bytes JMP 00000000772f03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077191670 5 bytes JMP 00000000772f0390 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000771916b0 5 bytes JMP 00000000772f02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077191730 5 bytes JMP 00000000772f02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077191750 5 bytes JMP 00000000772f0310 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077191790 5 bytes JMP 00000000772f03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000771917e0 5 bytes JMP 00000000772f03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077191940 5 bytes JMP 00000000772f0230 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077191b00 5 bytes JMP 00000000772f0480 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077191b30 5 bytes JMP 00000000772f03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077191c10 5 bytes JMP 00000000772f02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077191c20 5 bytes JMP 00000000772f0350 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077191c80 5 bytes JMP 00000000772f0290 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077191d10 5 bytes JMP 00000000772f02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077191d30 5 bytes JMP 00000000772f03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077191d40 5 bytes JMP 00000000772f0330 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077191db0 5 bytes JMP 00000000772f0410 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077191de0 5 bytes JMP 00000000772f0240 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000771920a0 5 bytes JMP 00000000772f01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077192160 5 bytes JMP 00000000772f0250 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077192190 5 bytes JMP 00000000772f0490 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000771921a0 5 bytes JMP 00000000772f04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000771921d0 5 bytes JMP 00000000772f0300 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000771921e0 5 bytes JMP 00000000772f0360 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077192240 5 bytes JMP 00000000772f02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077192290 5 bytes JMP 00000000772f02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000771922c0 5 bytes JMP 00000000772f0380 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000771922d0 5 bytes JMP 00000000772f0340 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000771925c0 5 bytes JMP 00000000772f0440 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000771927c0 5 bytes JMP 00000000772f0260 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000771927d0 5 bytes JMP 00000000772f0270 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000771927e0 5 bytes JMP 00000000772f0400 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000771929a0 5 bytes JMP 00000000772f01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000771929b0 5 bytes JMP 00000000772f0210 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077192a20 5 bytes JMP 00000000772f0200 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077192a80 5 bytes JMP 00000000772f0420 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077192a90 5 bytes JMP 00000000772f0430 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077192aa0 5 bytes JMP 00000000772f0220 .text C:\Windows\system32\wbem\wmiprvse.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077192b80 5 bytes JMP 00000000772f0280 .text C:\Users\KiL\Desktop\SCAN\GMEr\y5tld4ix.exe[4976] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000767ca2fd 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1116:3476] 000007fef1139688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0021866574fa Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0021866574fa (not active ControlSet) ---- EOF - GMER 2.1 ----