GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-05 14:07:13 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.AX0A 465,76GB Running: 7rvmlllr.exe; Driver: C:\Windows\TEMP\pwlyipow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800031a7000 52 bytes [FF, FF, FF, FF, FF, FF, FF, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 614 fffff800031a7036 27 bytes [FF, FF, FF, FF, FF, FF, FF, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0xffffffff8870e890} .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0xffffffff8870e590} .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0xffffffff8870e090} .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsass.exe[780] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\svchost.exe[304] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0460 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0450 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0480 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac0490 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04a0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0440 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\System32\svchost.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0xffffffff8870e890} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0xffffffff8870e590} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0xffffffff8870e090} .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[1056] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007738eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007738eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\svchost.exe[1828] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\taskeng.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2144] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0460 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0450 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0480 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac0490 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04a0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0440 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007738eecd 1 byte [62] .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0460 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0450 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0470 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0480 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac0490 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04a0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0440 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Program Files\Sony\VAIO Smart Network\VSNService.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0460 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0450 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0470 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0480 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac0490 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04a0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0440 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Program Files\Sony\VAIO Care\VCPerfService.exe[2612] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007738eecd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2712] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007738eecd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[3604] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\wbem\wmiprvse.exe[3184] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007738eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[5148] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007738eecd 1 byte [62] .text C:\Users\hoshi\Desktop\FRST64.exe[5700] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007738eecd 1 byte [62] .text C:\Windows\SysWOW64\DllHost.exe[5440] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] .text C:\Users\hoshi\Desktop\7rvmlllr.exe[4160] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076bda30a 1 byte [62] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExAllocatePoolWithTag] [fffff88001d13c18] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoAcquireRemoveLockEx] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeQueryActiveProcessors] [fffff88001d1296c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoDeleteSymbolicLink] [fffff88001d13bc8] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExFreePoolWithTag] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoRegisterShutdownNotification] [fffff88001d12964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlInitUnicodeString] [fffff88001d13bc0] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoDeleteDevice] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlAppendUnicodeToString] [fffff88001d1295c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeInitializeEvent] [fffff88001d13bd0] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeInitializeDpc] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeSetTimerEx] [fffff88001d12964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoUnregisterShutdownNotification] [fffff88001d13bc4] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!InitSafeBootMode] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoReleaseRemoveLockAndWaitEx] [fffff88001d1295c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoIsWdmVersionAvailable] [fffff88001d13be0] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExDeleteResourceLite] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoCreateSymbolicLink] [fffff88001d12964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlCopyUnicodeString] [fffff88001d13bd8] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoInitializeRemoveLockEx] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExInitializeResourceLite] [fffff88001d1295c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeInitializeTimerEx] [fffff88001d13be8] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeCancelTimer] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmUnmapLockedPages] [fffff88001d12964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmFreeContiguousMemory] [fffff88001d13bdc] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmUnmapIoSpace] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] [fffff88001d1295c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmMapIoSpace] [fffff88001d13bf8] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmFreePagesFromMdl] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExAcquireResourceExclusiveLite] [fffff88001d12964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeLeaveCriticalRegion] [fffff88001d13bf0] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoReleaseRemoveLockEx] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoFreeMdl] [fffff88001d1295c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeEnterCriticalRegion] [fffff88001d13c00] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExAcquireResourceSharedLite] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExReleaseResourceLite] [fffff88001d12964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IofCompleteRequest] [fffff88001d13bf4] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmProbeAndLockPages] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmUnlockPages] [fffff88001d1295c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoAllocateMdl] [fffff88001d13c10] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlDeleteElementGenericTableAvl] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlInsertElementGenericTableAvl] [fffff88001d12964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!PsLookupProcessByProcessId] [fffff88001d13c08] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeUnstackDetachProcess] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlIsGenericTableEmptyAvl] [fffff88001d1295c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlInitializeGenericTableAvl] [fffff88001d13d78] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlEnumerateGenericTableAvl] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ObfDereferenceObject] [fffff88001d1296c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlLookupElementGenericTableAvl] [fffff88001d13c88] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeStackAttachProcess] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!PsGetProcessWin32Process] [fffff88001d12958] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoFreeWorkItem] [fffff88001d13c28] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoGetCurrentProcess] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoAllocateWorkItem] [fffff88001d12964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmIsAddressValid] [fffff88001d13c0c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoQueueWorkItem] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExUnregisterCallback] [fffff88001d1295c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwCreateKey] [fffff88001d13c38] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeResetEvent] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!PsSetLoadImageNotifyRoutine] [fffff88001d12964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeSetPriorityThread] [fffff88001d13c30] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeSetEvent] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlCheckRegistryKey] [fffff88001d1295c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!PsSetCreateProcessNotifyRoutine] [fffff88001d13c40] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmAllocatePagesForMdl] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmGetPhysicalAddress] [fffff88001d12964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!PsCreateSystemThread] [fffff88001d13c34] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwQueryValueKey] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!PsTerminateSystemThread] [fffff88001d1295c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwClose] [fffff88001d13c50] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ObReferenceObjectByHandle] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeWaitForSingleObject] [fffff88001d12964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine] [fffff88001d13c48] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExRegisterCallback] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!PsThreadType] [fffff88001d1295c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlCompareUnicodeString] [fffff88001d13c58] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeSetSystemAffinityThread] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeWaitForMultipleObjects] [fffff88001d12964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmGetPhysicalMemoryRanges] [fffff88001d13c4c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExCreateCallback] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmAllocateContiguousMemorySpecifyCache] [fffff88001d1295c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!DbgPrint] [fffff88001d13c68] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmFreeMappingAddress] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmAllocateMappingAddress] [fffff88001d12964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ProbeForRead] [fffff88001d13c60] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ExGetPreviousMode] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!MmGetSystemRoutineAddress] [fffff88001d1295c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoCreateDevice] [fffff88001d13c70] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ObOpenObjectByPointer] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwSetSecurityObject] [fffff88001d12964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!IoDeviceObjectType] [fffff88001d13c64] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!_snwprintf] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlLengthSecurityDescriptor] [fffff88001d1295c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!SeCaptureSecurityDescriptor] [fffff88001d13c80] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlCreateSecurityDescriptor] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlSetDaclSecurityDescriptor] [fffff88001d12964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlAbsoluteToSelfRelativeSD] [fffff88001d13c78] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!SeExports] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!wcschr] [fffff88001d1295c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!_wcsnicmp] [fffff88001d13cf8] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlLengthSid] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlAddAccessAllowedAce] [fffff88001d12958] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlGetSaclSecurityDescriptor] [fffff88001d13c98] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlGetDaclSecurityDescriptor] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlGetGroupSecurityDescriptor] [fffff88001d12964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlGetOwnerSecurityDescriptor] [fffff88001d13c7c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwOpenKey] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwSetValueKey] [fffff88001d1295c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!RtlFreeUnicodeString] [fffff88001d13ca8] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!KeBugCheckEx] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwMapViewOfSection] [fffff88001d12964] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwUnmapViewOfSection] [fffff88001d13ca0] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwCreateSection] [?] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!ZwOpenFile] [fffff88001d1295c] \SystemRoot\System32\Drivers\aswVmm.sys [.text] IAT C:\Windows\System32\Drivers\aswVmm.sys[ntoskrnl.exe!__C_specific_handler] [fffff88001d13cb0] \SystemRoot\System32\Drivers\aswVmm.sys [.text] ---- Devices - GMER 2.1 ---- Device \Driver\aswHwid \Device\AswHWID fffff880085d6568 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1056:1484] 000007fefb4259a0 Thread C:\Windows\System32\svchost.exe [1056:1540] 000007fefd811a70 Thread C:\Windows\System32\svchost.exe [1056:2584] 000007fef9b644e0 Thread C:\Windows\System32\svchost.exe [1056:3848] 000007fef9a688f8 Thread C:\Windows\system32\svchost.exe [1100:2804] 000007fefcc21c20 Thread C:\Windows\system32\svchost.exe [1100:3892] 000007fefcc21c20 Thread C:\Windows\system32\svchost.exe [1100:4204] 000007fef71b506c Thread C:\Windows\system32\svchost.exe [1100:5320] 000007fef41acb70 Thread C:\Windows\system32\svchost.exe [1100:5636] 000007fef77ba978 Thread C:\Windows\system32\svchost.exe [1100:4292] 000007fef2b41ab0 Thread C:\Windows\system32\svchost.exe [1288:1656] 000007fef9f7bd88 Thread C:\Windows\system32\svchost.exe [1288:2072] 000007fef9af83d8 Thread C:\Windows\system32\svchost.exe [1288:2076] 000007fef9af83d8 Thread C:\Windows\system32\svchost.exe [1288:2080] 000007fef9af83d8 Thread C:\Windows\system32\svchost.exe [1288:2088] 000007fef9af83d8 Thread C:\Windows\system32\svchost.exe [1288:2388] 000007fef9323f1c Thread C:\Windows\system32\svchost.exe [1288:2396] 000007fef92f1a38 Thread C:\Windows\system32\svchost.exe [1288:2420] 000007fef91b5388 Thread C:\Windows\system32\svchost.exe [1288:2436] 000007fef9127738 Thread C:\Windows\system32\svchost.exe [1288:2452] 000007fef90a1f90 Thread C:\Windows\system32\svchost.exe [1288:2128] 000007fef9e25124 Thread C:\Windows\system32\svchost.exe [1288:6668] 000007fefbba341c Thread C:\Windows\system32\svchost.exe [1288:6468] 000007fefbba3a2c Thread C:\Windows\system32\svchost.exe [1288:7444] 000007fefbba3768 Thread C:\Windows\system32\svchost.exe [1288:7184] 000007fefbba5c20 Thread C:\Windows\system32\svchost.exe [1288:4484] 000007fefbba3900 Thread C:\Windows\system32\WLANExt.exe [1504:1548] 00000000002f86e4 Thread C:\Windows\system32\WLANExt.exe [1504:1552] 00000000002f86e4 Thread C:\Windows\System32\spoolsv.exe [1796:2676] 000007fef85f10c8 Thread C:\Windows\System32\spoolsv.exe [1796:2688] 000007fef85b6144 Thread C:\Windows\System32\spoolsv.exe [1796:2692] 000007fef83a5fd0 Thread C:\Windows\System32\spoolsv.exe [1796:2696] 000007fef8393438 Thread C:\Windows\System32\spoolsv.exe [1796:2700] 000007fef83a63ec Thread C:\Windows\System32\spoolsv.exe [1796:2812] 000007fef8685e5c Thread C:\Windows\System32\spoolsv.exe [1796:2824] 000007fef8735074 Thread C:\Windows\system32\taskhost.exe [1728:968] 000007fef7a92740 Thread C:\Windows\system32\taskhost.exe [1728:1068] 000007fef7a21f38 Thread C:\Windows\system32\taskhost.exe [1728:2636] 000007fefbe51010 Thread C:\Windows\Explorer.EXE [1812:3372] 000007fefb532154 Thread C:\Windows\Explorer.EXE [1812:3644] 000007fefc0f6204 Thread C:\Windows\Explorer.EXE [1812:3736] 000007fef3872118 Thread C:\Windows\Explorer.EXE [1812:4228] 000007fefab62f9c Thread C:\Windows\Explorer.EXE [1812:4868] 000007fef33da3f8 Thread C:\Windows\Explorer.EXE [1812:3508] 000007fefab62f9c Thread C:\Windows\Explorer.EXE [1812:2644] 000007fefab62f9c Thread C:\Windows\Explorer.EXE [1812:4272] 000007fef33dbbc8 Thread C:\Windows\Explorer.EXE [1812:4216] 000007fefad61ebc Thread C:\Windows\Explorer.EXE [1812:4588] 000007fee4b5f5bc Thread C:\Windows\Explorer.EXE [1812:7328] 000007fefdf420c0 Thread C:\Windows\System32\svchost.exe [5148:2764] 000007fefaf99688 Thread C:\Windows\system32\mmc.exe [5288:2260] 0000000075031b80 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???-????? ???????_???????????[?5????????????????????????? ???????_???????????|?5???????????? ????????????f?h?h?h?h?h?h?h?????h?h?m?m?&???g?g?g?i?i?i?i?i?????i?i?i?i?&????????????????????????????????????????6???????????5?????????????????????3????????????i???????i?????????????e???????j??????????????????????????????????????????????6???????????5?????????????????????3????????????i??8.8.8.8 8.8.4.4?????????????????????????????????????????????????????255.255.255.0?????????????????????????????????????????????????????????????0?????????????????????????????????????????????? ??????????????????????????????d??? ?????????????????????????????????d??????n????hsysh?\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys?@??????????A?????ey ??nitor???????192.168.19.21???????.?????????????????????????????????????????????????Q?????????????????;???????????:???????????3???????????6???????????5?????????????????????8?FSFilter Activity Monitor????{?{???|?????????-??? ??????????????????????????????.?????????sMSw????.??????t???????e??MBAMSwi Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\08edb9be64ec Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\08edb9be64ec (not active ControlSet) ---- EOF - GMER 2.1 ----